I found a reflected XSS vulnerability in JW Player 5. The developers at LongTail Video have released JW Player 6, which is not vulnerable to this issue. They do not plan to update JW Player 5 to mitigate this vulnerability; I would encourage people to discontinue using JW Player 5 or manually patch/build their own version as a result.
How does it work?
I was aware of a previous vulnerability in JW Player 5 which the
developers had attempted to patch. The original issue is documented in
the LongTail Video Trac as Ticket 1626; the problem was that the
playerReady parameter to the SWF accepted an arbitrary string and used
it as a callback function to
ExternalInterface.call. That behavior is
roughly equivalent to calling
eval on the value of the
parameter and allowed for XSS and other badness. There are two relevant
diffs, which made changes as follows:
- 2164: Instead of an arbitrary callback string, the callback string may only contain alpha-numeric characters and periods.
- 2165: Instead of a callback string containing only alpha-numeric characters and periods, the callback string can have any characters except for curly braces and parentheses.
Proof of Concept
How can it be patched
- Discontinue use of JW Player 5. Upgrade to JW Player 6 or use another player.
- If you would like to build your own SWF, you can apply the changes
playerReadyaltogether. If you rely on a custom
playerReadywhich in turn calls your custom function.
- December 28th, 2012, 11:10 AM: Contacted LongTail Video via their support form with details of the vulnerability.
- December 28th, 2012, 11:39 AM: Received reply asking me to upgrade to JW Player 6.
- December 28th, 2012, 5:52 PM: Sent reply asking for clarification about the end-of-life status of JW Player 5 and whether a patch would be released.
- December 29th, 2012: Received response from developer: “There may be a 5.11 version out to address some of these issues, but since they are already fixed in V6, 5.10 might be the last version of the V5 player.”
- April 16th, 2013: Published this blog post