Friday, August 16, 2013

ESET and Symantec victims of vulnerable JW Player

It seems that there are still many JW Players outdated in the wild.
I reported two security issues, same vulnerability that I published about Yahoo, on ESET and Symantec sites.

The problem is located under a vulnerable flash player (JW Player) that can be used to explore a Cross site flashing - OWASP-DV-004.
This may be used to trick innocent users to spread malware and even hijack accounts using the name of ESET and Symantec.

#1 Proof-of-concept on ESET:
http://www.eset.ro/suport-antivirus/video-player/player.swf?playerready=alert("xss by @dsopas")

#2 Proof-of-concept on Symantec:
https://hp.symantec.com/sites/all/modules/contrib/jwplayermodule/player.swf?playerready=alert("xss by @dsopas");

Both issues were fixed (JW Player removed) by the vendors.

Timeline #1:
18 Jun 2013: Reported to ESET
03 Jul 2013: Fixed by ESET
16 Aug 2013: Full disclosure

Timeline #2:
19 Jun 2013: Reported to Symantec
20 Jun 2013: I noticed that the script was removed. Never got a reply back.
16 Aug 2013: Full disclosure

Tuesday, August 13, 2013

Vulnerable JW Player on two Yahoo sites

Changeled by some web security analysts that told by that Yahoo is very hard to still find web vulnerabilities on their sites I found two flaws.
Both security issues are located under a vulnerable flash player - JW Player (discovered by Neal Poole on April) that can be used to inject a XSS vector.
This type of attack could be used to trick innocent users, infecting them with malware and even get their accounts hijacked using the name of Yahoo.

Proof-of-concept:
#1 http://especiales.yahoo.net/turismo-de-tunez/wp-content/themes/studiozen/js/jwplayer/player.swf?playerready=alert("xss by @dsopas")

#2 http://www.yahoosportsradio.com/source/mediaplayer/player.swf?playerready=alert("xss by @dsopas")


Upgrading JW Player would fix this vulnerability but Yahoo decided to delete because they were old files forgotten on the web sever. Always a priority to delete files that you don't need. They could become a security risk in the future.

Yahoo security team sent me as a gift the DoD T-Shirt and a few other Yahoo merchandise.




I would like to mention that Yahoo fixed both vulnerabilities pretty fast proving that they really care about security.

Timeline #1:
07 Jun 2013: Reported to Yahoo
10 Jun 2013: Fixed by Yahoo
13 Aug 2013: Full disclosure

Timeline #2:
13 Jun 2013: Reported to Yahoo
13 Jun 2013: Fixed by Yahoo
13 Aug 2013: Full disclosure

Update:  The JW Player security issue is also present on SecurityFocus since 29 July 2012. Thanks to Avram Marius for this information.