Ticket #1585 (closed bug: fixed)

Opened 2 years ago

Last modified 16 months ago

Address cross-site scripting vulnerabilities

Reported by: pablo Owned by: pablo
Priority: Normal Milestone:
Component: flash Keywords:
Cc: Forum thread:

Description

From Phil:

There are multiple XSS vulnerabilities in the JW Player:

The first two instances were previously known and "fixed" with a custom ActionScript function "cleanLink":

        public static function cleanLink(arg0:String) : String
        {
            return arg0.replace(new RegExp("^(javascript|asfunction|vbscript)\\:"), "");
            
        }

This function does not adequately protect against XSS because it will only remove the first instance of the text "javascript:" from a URL. A URL like "javascript:javascript:alert(1)" will be "cleaned" to "javascript:alert(1)".

The other three instances of cross-site scripting vulnerabilities do not appear to be publicly known at this time.

  1. JW Player "link" parameter: Load  the URL and click anywhere in the window.
  2. JW Player "logo.link" parameter in licensed versions of JW Player: Load  the URL and click on the logo in the top-left
  3. JW Player "aboutlink" parameter: Load  the URL and right-click on the flash application. Choose "getXSSed!" from the menu

Attachments

1585.html Download (3.6 KB) - added by pablo 22 months ago.

Change History

comment:1 Changed 2 years ago by pablo

  • Status changed from new to closed
  • Resolution set to fixed
  • Milestone changed from Player 5.10 to Player 5.9 Patch 1

Fixed in [2146]

comment:2 Changed 2 years ago by pablo

  • Milestone changed from Player 5.9 Patch 1 to Player 5.9

Milestone Player 5.9 Patch 1 deleted

comment:3 Changed 2 years ago by pablo

  • Milestone changed from Player 5.9 to Player 5.10

Added an additional check for casing (i.e. "JavaScript:" instead of "javascript:") in [2159]

comment:4 Changed 2 years ago by pablo

  • Status changed from closed to reopened
  • Resolution fixed deleted

If debug parameter is set to a javascript function, the player will  execute it.

comment:5 Changed 2 years ago by pablo

If something like javajavascript:script: appears, the replacement only occurs once. Reported by Ali Pezeshk of Microsoft and Microsoft Vulnerability Research (MSVR)

Last edited 22 months ago by pablo (previous) (diff)

comment:6 Changed 2 years ago by pablo

  • Status changed from reopened to closed
  • Resolution set to fixed

Resolved in [2206]

Changed 22 months ago by pablo

comment:7 Changed 22 months ago by pablo

Reported by Soroush Dalili (@irsdl, SecProject.com):

Firefox has a vulnerability where a request with the "feed:" prefix will execute any javascript contained within.

 example (Firefox only)

Fixed in [2274]

Last edited 22 months ago by pablo (previous) (diff)

comment:8 Changed 22 months ago by pablo

Last edited 22 months ago by pablo (previous) (diff)

comment:9 Changed 20 months ago by pablo

  • Status changed from closed to reopened
  • Resolution fixed deleted
  • Milestone changed from Player 5.10 to Player 5.11

In the commercial player, it's possible to use logo.link with base64-encoded HTML to inject javascript (Firefox only):

http://site/jwplayer.swf?file=1.flv&logo.file=1.jpg&logo.link=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

The aboutlink parameter also suffers from this vulnerability.

Fixed in [2393]

Last edited 20 months ago by pablo (previous) (diff)

comment:10 Changed 20 months ago by pablo

  • Status changed from reopened to closed
  • Resolution set to fixed

comment:11 Changed 16 months ago by pablo

  • Milestone Player 5.11 deleted

Milestone Player 5.11 deleted

Note: See TracTickets for help on using tickets.