Nytro Posted December 24, 2012 Report Posted December 24, 2012 Multiple vulnerabilities in multiple themes for WordPress From: "MustLive" <mustlive () websecurity com ua>Date: Sun, 23 Dec 2012 01:39:25 +0200Hello list!Some time ago, when I've found vulnerabilities in plugin BuddyPress for WordPress (particularly in Affinity BuddyPress theme for it) with Rokbox, which I disclosed earlier, I also found multiple vulnerable themes for WP with Rokbox.So I want to warn you about multiple vulnerabilities in multiple themes for WordPress. These are themes developed by Rokbox's developers. And they put Rokbox (with JW Player, but without TimThumb) into their themes.These are Content Spoofing, Cross-Site Scripting, Full path disclosure and Information Leakage vulnerabilities. I've disclosed vulnerabilities in JW Player in June and August (including in commercial version JW Player Pro) and disclosed vulnerabilities in Rokbox in December. These vulnerabilities are similar to vulnerabilities in Affinity BuddyPress theme. Also I've found many WP themes by other developers with Rokbox, but I'd write about them separately, because they have much more holes.-------------------------Affected products:-------------------------Vulnerable are all WordPress themes by RocketTheme (during quick research I found 16 themes for WP, in addition to above-mentioned theme for BP, but I supposed all their themes contain Rokbox with JW Player 4.4.198). They haven't removed this vulnerable version of JW Player from Rokbox and so from any of their themes (for WP and BP), when I've informed them in August.Here are these 16 vulnerable themes, which I found:rt_afterburner_wprt_refraction_wprt_solarsentinel_wprt_mixxmag_wp (Mixxmag)rt_iridium_wprt_infuse_wp (infuse)rt_perihelion_wprt_replicant2_wprt_affinity_wprt_nexus_wprt_sentinelrt_mynxx_wp_vestnikprt_mynxx_wp (rt.mynxx.wp)rt_moxy_wprt_terrantribune_wprt_meridian_wpThey will be added to those 94 vulnerable themes for WordPress, in which I've found vulnerabilities (http://websecurity.com.ua/4915/).In Google's index there are now up to 634000 pages with Rokbox at WP sites. So there are a lot of vulnerable themes and web sites with these themes.----------Details:----------The paths for these themes are the next:http://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swfhttp://site/wordpress/wp-content/themes/rt_refraction_wp/js/rokbox/jwplayer/jwplayer.swfhttp://site/wordpress/wp-content/themes/rt_solarsentinel_wp/js/rokbox/jwplayer/jwplayer.swfhttp://site/wordpress/wp-content/themes/rt_mixxmag_wp/js/rokbox/jwplayer/jwplayer.swfhttp://site/wordpress/wp-content/themes/Mixxmag/js/rokbox/jwplayer/jwplayer.swfhttp://site/wordpress/wp-content/themes/rt_iridium_wp/js/rokbox/jwplayer/jwplayer.swfhttp://site/wordpress/wp-content/themes/rt_infuse_wp/js/rokbox/jwplayer/jwplayer.swfhttp://site/wordpress/wp-content/themes/infuse/js/rokbox/jwplayer/jwplayer.swfhttp://site/wordpress/wp-content/themes/rt_perihelion_wp/js/rokbox/jwplayer/jwplayer.swfhttp://site/wordpress/wp-content/themes/rt_replicant2_wp/js/rokbox/jwplayer/jwplayer.swfhttp://site/wordpress/wp-content/themes/rt_affinity_wp/js/rokbox/jwplayer/jwplayer.swfhttp://site/wordpress/wp-content/themes/rt_nexus_wp/js/rokbox/jwplayer/jwplayer.swfhttp://site/wordpress/wp-content/themes/rt_sentinel/js/rokbox/jwplayer/jwplayer.swfhttp://site/wordpress/wp-content/themes/rt_mynxx_wp_vestnikp/js/rokbox/jwplayer/jwplayer.swfhttp://site/wordpress/wp-content/themes/rt_mynxx_wp/js/rokbox/jwplayer/jwplayer.swfhttp://site/wordpress/wp-content/themes/rt.mynxx.wp/js/rokbox/jwplayer/jwplayer.swfhttp://site/wordpress/wp-content/themes/rt_moxy_wp/js/rokbox/jwplayer/jwplayer.swfhttp://site/wordpress/wp-content/themes/rt_terrantribune_wp/js/rokbox/jwplayer/jwplayer.swfhttp://site/wordpress/wp-content/themes/rt_meridian_wp/js/rokbox/jwplayer/jwplayer.swfContent Spoofing (WASC-12):In parameter file there can be set as video, as audio files.Swf-file of JW Player accepts arbitrary addresses in parameters file and image, which allows to spoof content of flash - i.e. by setting addresses of video (audio) and/or image files from other site.http://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFFhttp://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swf?file=1.flv?=1.jpgContent Spoofing (WASC-12):Swf-file of JW Player accepts arbitrary addresses in parameter config, which allows to spoof content of flash - i.e. by setting address of config file from other site (parameters file and image in xml-file accept arbitrary addresses). For loading of config file from other site it needs to have crossdomain.xml.http://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swf?config=1.xml1.xml<config> <file>1.flv</file> <image>1.jpg</image></config>Content Spoofing (WASC-12):http://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=http://siteXSS (WASC-08):http://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2BFull path disclosure (WASC-13):In all these themes there is FPD in index.php (http://site/wordpress/wp-content/themes/rt_afterburner_wp/ and the same for other themes), which works at default PHP settings. Also potentially there are FPD in other php-files of these themes.Information Leakage (WASC-13):There are sites with rt_mixxmag_wp theme, which have error log with full paths.http://site/wordpress/wp-content/themes/rt_mixxmag_wp/js/rokbox/error_log------------Timeline:------------ 2012.05.29 - informed developers of JW Player.2012.06.06 - disclosed at my site about JW Player.2012.08.18 - informed developers about new holes in JW Player Pro.2012.08.23 - disclosed at my site about JW Player Pro.2012.08.28 - informed developers of Rokbox.2012.12.14 - disclosed at my site about Rokbox.2012.12.23 - disclosed to the lists about multiple themes for WordPress with Rokbox.Best wishes & regards,MustLiveAdministrator of Websecurity web sitehttp://websecurity.com.ua Sursa: http://seclists.org/fulldisclosure/2012/Dec/236 Quote
