TWSL2013-007: Multiple Vulnerabilities in VLC Media Player - Web Interface

Yesterday, Trustwave SpiderLabs has published an advisory for multiple vulnerabilities in the VLC Media Player web interface. The VLC Media Player is one of the most popular open-sourcemedia-player available. About a yearago, VLC reached over a billion downloads and now it's more popular thanever. It is not unusual formedia-players to have vulnerabilities, such as buffer, heap and stackoverflows. However, Tanya Secker ofTrustwave SpiderLabs discovered that features, such as the web interface couldalso have security risks too. Tanyadiscovered a lack of authentication and authorization in the web interface,which will be further addressed in a future VLC release. However, the recent versions currentlymitigate against this potential security risk with being able to configureaccess control lists (ACLs) in the application preferences.

Additionally, Tanya discovered multiple XSS vulnerabilities inthe web interface. These vulnerabilitieswere addressed in 2.0.7 (the latest version of VLC), which is now available at

For more details regarding this advisory, please visit:

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.