Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: MustLive (mustlivewebsecurity.com.ua)
Date: Wed May 08 2013 - 15:52:12 CDT
These are Cross-Site Scripting vulnerabilities in multiple web applications
with VideoJS. Earlier I've wrote about vulnerabilities in VideoJS
(http://seclists.org/fulldisclosure/2013/May/21). This is popular video and
audio player, which is used at hundreds thousands of web sites and in
multiple web applications.
Among them are VideoJS - HTML5 Video Player for WordPress, Video.js for
Drupal, bo:VideoJS for Joomla, videojs-youtube, Telemeta (CMS). And a lot of
other web applications. All developers of these applications, the same as
developers of all other web applications with VideoJS, need to update it in
Vulnerable are web applications which are using VideoJS Flash Component
3.0.2 and previous versions. Version VideoJS Flash Component 3.0.2 is not
vulnerable to mentioned XSS hole, except XSS via JS callbacks (as it can be
read in repository on github). Also there are bypass methods which work in
the last version, but the developers haven't fixed them due to their low
impact. So update to last version of VideoJS.swf.
Vulnerable are the next web applications:
VideoJS - HTML5 Video Player for WordPress 3.2.3 and previous versions.
Video.js for Drupal 6.x-2.2 and previous 6.x-2.x versions and 7.x-2.2 and
previous 7.x-2.x versions (only these versions are using VideoJS Flash
bo:VideoJS for Joomla 2.1.1 and previous versions (with VideoJS Flash
videojs-youtube (all versions).
Telemeta 1.4.4 and previous versions.
All these developers were informed last week.
VideoJS and VideoJS Flash Component were developed by Zencoder.
Earlier Zencoder, now Brightcove
Cross-Site Scripting (WASC-08):
Original example for VideoJS:
VideoJS - HTML5 Video Player for WordPress:
Video.js for Drupal:
bo:VideoJS for Joomla:
2013.02.07 - found XSS vulnerability.
2013.02.08 - informed developers of VideoJS about both vulnerabilities. They
thanked and promised to fix it.
2013.02.23 - reminded VideoJS developers and asked for date of releasing the
2013.03.09 - again reminded developers.
2013.03.26 - again reminded developers.
2013.04.08 - reminded developers on github and resent previous letter to
Zencoder's developers (since Brightcove, which acquired Zencoder, ignored
the hole for two months).
2013.04.08-30 - discussed with developers (on github and by e-mail). And
made my own fix to force developers to fix the hole.
2013.04.30 - developers fixed XSS hole in VideoJS Flash Component 3.0.2 in
source code on github.
2013.05.02 - developers compiled fixed version of swf (after my reminding)
and uploaded to both repositories.
2013.05.02 - tested version 3.0.2 and found that developers haven't fixed
the hole completely and informed them.
2013.05.03 - informed developers of VideoJS - HTML5 Video Player for
2013.05.04 - informed developers of Video.js for Drupal, bo:VideoJS for
Joomla, videojs-youtube, Telemeta. Alongside with sending letter to
developer of bo:VideoJS, also I informed Joomla VEL. They put this extension
from JED to VEL.
2013.05.05 - since developer of videojs-youtube had no e-mails in his github
account and the his e-mail mentioned at different web sites was not working
already, so I published my letter on github.
2013.05.07 - Telemeta developers answered and thanked (the only one among
Best wishes & regards,
Administrator of Websecurity web site
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/