04.16
Summary
I found a reflected XSS vulnerability in JW Player 5. The developers at LongTail Video have released JW Player 6, which is not vulnerable to this issue. They do not plan to update JW Player 5 to mitigate this vulnerability; I would encourage people to discontinue using JW Player 5 or manually patch/build their own version as a result.
How does it work?
I was aware of a previous vulnerability in JW Player 5 which the
developers had attempted to patch. The original issue is documented in
the LongTail Video Trac as Ticket 1626; the problem was that the
playerReady
parameter to the SWF accepted an arbitrary string and used
it as a callback function to ExternalInterface.call
. That behavior is
roughly equivalent to calling eval
on the value of the playerReady
parameter and allowed for XSS and other badness. There are two relevant
diffs, which made changes as follows:
- 2164: Instead of an arbitrary callback string, the callback string may only contain alpha-numeric characters and periods.
- 2165: Instead of a callback string containing only alpha-numeric characters and periods, the callback string can have any characters except for curly braces and parentheses.
So, the challenge for exploitation was to find a way to execute JavaScript without parentheses or braces. Turns out this was really easy[1], [2]: I used the following code (the comment was needed because of the context in which the code was being executed):
1 | document.location=window.name+'//'+
|
I could then embed arbitrary JavaScript into window.name by convincing users to click on links with ‘target’ attributes I specified.
Proof of Concept
A proof of concept is available at sandboxing.me. The JavaScript executes in the context of the player’s domain, not in the context of sandboxing.me.
How can it be patched
- Discontinue use of JW Player 5. Upgrade to JW Player 6 or use another player.
- If you would like to build your own SWF, you can apply the changes
to
src/com/longtailvideo/jwplayer/player/JavascriptAPI.as
from revision 2267. This disables the use of dynamic callbacks forplayerReady
altogether. If you rely on a customplayerReady
callback, you will need to modify your JavaScript; you will need to declare a function on your page calledplayerReady
which in turn calls your custom function.
Disclosure Timeline
- December 28th, 2012, 11:10 AM: Contacted LongTail Video via their support form with details of the vulnerability.
- December 28th, 2012, 11:39 AM: Received reply asking me to upgrade to JW Player 6.
- December 28th, 2012, 5:52 PM: Sent reply asking for clarification about the end-of-life status of JW Player 5 and whether a patch would be released.
- December 29th, 2012: Received response from developer: “There may be a 5.11 version out to address some of these issues, but since they are already fixed in V6, 5.10 might be the last version of the V5 player.”
- April 16th, 2013: Published this blog post