Vulnerabilities in VideoJS

[MustLive]

Hello developers of VideoJS!

Two months ago, 08.02.2013, I've informed you about security vulnerabilities in your software (VideoJS Flash Component). These are Denial of Service and Cross-Site Scripting vulnerabilities in VideoJS Flash Component. The same day Simon answered me, thanked and passed this information to your engineering team.

The DoS which leads to BSOD I've found in January (and after that I found XSS in your software) and it's related to Adobe Flash Player 11.5.502.146. I've informed Adobe about it in January and Adobe has fixed this hole in version 11.6.602.168 at 12.02.2013. But already for two months there were no answers from you and XSS hole still was not fixed. I've wrote reminders to Zencoders at 23.02, 09.03 and 26.03 by e-mail (and at 26.03 also via contact form at site), but without any answers.

So I'm reminding you about this vulnerability through github. Since after giving you two months and after disclosing vulnerability in Adobe Flash last week, I'm planning to disclose the hole in VideoJS this week. And you still haven't fixed it.

Details of XSS I've wrote in my February's letters, so you had them already for two months. And details of DoS in Flash with using your player you can see in the video (I've sent it for you earlier in my letters):

Adobe Flash DoS BSOD
http://www.youtube.com/watch?v=xi29KZ3LD80

Vulnerable are VideoJS Flash Component v3.0 (from different web sites and github) and v3.0.1 (from github). Including flash-file from the last version VideoJS 3.2.3.

[dmlap]

Who did you send your exploit details to? @heff is the lead developer for video.js and it doesn't seem your message in February ever reached him. What's the best way to get in touch with you for steps to reproduce?

[MustLive]

David!

Before my today's post in github, during previous two months I sent 4 letters (to e-mails help@zencoder.com and support_system@brightcove.com and received response from Simon at 08.02.2013) and two times wrote via contact form (zencoder.com/en/contact).

I've not published vulnerability details in github since it was public post and all details I sent in February's letter. Since there were not your, nor Steve's e-mail at github, I've found your e-mail dlapalomento@gmail.com in Internet. And I'll resend my letter with vulnerability details to you.

[MustLive]

David!

At 25.04.2013 I've fixed XSS hole in VideoJS Flash Component and made pull request (videojs/video-js-swf#14). So you need to merge it into your repository and put fixed swf-file into both video-js-swf and video-js repositories to fix XSS hole in them. And also you need to update swf-file at your site to fix XSS hole at vjs.zencdn.net, as I've wrote you earlier.