Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

TWSL2013-007: Multiple Vulnerabilities in VLC Media Player - Web Interface

Yesterday, Trustwave SpiderLabs has published an advisory for multiple vulnerabilities in the VLC Media Player web interface. The VLC Media Player is one of the most popular open-sourcemedia-player available. About a yearago, VLC reached over a billion downloads and now it's more popular thanever. It is not unusual formedia-players to have vulnerabilities, such as buffer, heap and stackoverflows. However, Tanya Secker ofTrustwave SpiderLabs discovered that features, such as the web interface couldalso have security risks too. Tanyadiscovered a lack of authentication and authorization in the web interface,which will be further addressed in a future VLC release. However, the recent versions currentlymitigate against this potential security risk with being able to configureaccess control lists (ACLs) in the application preferences.

Additionally, Tanya discovered multiple XSS vulnerabilities inthe web interface. These vulnerabilitieswere addressed in 2.0.7 (the latest version of VLC), which is now available at http://www.videolan.org/