Friday, August 16, 2013

ESET and Symantec victims of vulnerable JW Player

It seems that there are still many JW Players outdated in the wild.
I reported two security issues, same vulnerability that I published about Yahoo, on ESET and Symantec sites.

The problem is located under a vulnerable flash player (JW Player) that can be used to explore a Cross site flashing - OWASP-DV-004.
This may be used to trick innocent users to spread malware and even hijack accounts using the name of ESET and Symantec.

#1 Proof-of-concept on ESET:
http://www.eset.ro/suport-antivirus/video-player/player.swf?playerready=alert("xss by @dsopas")

#2 Proof-of-concept on Symantec:
https://hp.symantec.com/sites/all/modules/contrib/jwplayermodule/player.swf?playerready=alert("xss by @dsopas");

Both issues were fixed (JW Player removed) by the vendors.

Timeline #1:
18 Jun 2013: Reported to ESET
03 Jul 2013: Fixed by ESET
16 Aug 2013: Full disclosure

Timeline #2:
19 Jun 2013: Reported to Symantec
20 Jun 2013: I noticed that the script was removed. Never got a reply back.
16 Aug 2013: Full disclosure

No comments:

Post a Comment