WordPress RocketTheme Content Spoofing / Cross Site Scripting

2012-12-30T00:00:00
ID PACKETSTORM:119158
Type packetstorm
Reporter MustLive
Modified 2012-12-30T00:00:00

Description

                                        
                                            `Hello list!  
  
Earlier I've wrote to the list about multiple vulnerabilities in multiple   
themes for WordPress (http://seclists.org/fulldisclosure/2012/Dec/236). In   
that later I've mentioned 16 themes by RocketTheme (with Rokbox):   
Afterburner, Refraction, Solarsentinel, Mixxmag, Iridium, Infuse,   
Perihelion, Replicant2, Affinity, Nexus, Sentinel, Mynxx Vestnikp, Mynxx,   
Moxy, Terrantribune, Meridian.  
  
I've wrote about 14 themes + 2 variations of 2 themes by these developers,   
but they have 47 themes for WordPress in total. Among them only three are   
free, and all other themes from RocketTheme are paid ones (it's needed to   
buy subscription to the club to receive access to them). And Rokbox is   
bundled with all these themes, except Grunge, which have all   
earlier-mentioned vulnerabilities.  
  
So I inform you about multiple vulnerabilities in 33 new themes for   
WordPress, which are developed by RocketTheme (Rokbox's developers). These   
are Content Spoofing, Cross-Site Scripting, Full path disclosure and   
Information Leakage vulnerabilities.  
  
-------------------------  
Affected products:  
-------------------------  
  
In these 32 themes (in addition to previous 16) there are Cross-Site   
Scripting, Content Spoofing, Full path disclosure and Information Leakage   
vulnerabilities. And Grunge theme has FPD holes.  
  
These are the next themes by RocketTheme: Voxel, Diametric, Ionosphere,   
Clarion, Halcyon, Visage, Enigma, Momentum, Radiance, Camber, Reflex,   
Modulus, Nebulae, Entropy, Tachyon, Mercado, Maelstrom, Syndicate, Paradox,   
Hybrid, Omnicron, Zephyr, Panacea, Somaxiom, Juxta, Quantive, Crystalline,   
Kinetic, Dominion, Reaction, Akiraka, Novus and Grunge.  
  
Affected all versions of these themes for WordPress.  
  
Since August I've informed the developers many times concerning   
vulnerabilities in Rokbox and their themes with it.  
  
----------  
Details:  
----------  
  
Content Spoofing (WASC-12):  
  
In parameter file there can be set as video, as audio files.  
  
Swf-file of JW Player accepts arbitrary addresses in parameters file and   
image, which allows to spoof content of flash - i.e. by setting addresses of   
video (audio) and/or image files from other site.  
  
http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF  
http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&image=1.jpg  
  
Content Spoofing (WASC-12):  
  
Swf-file of JW Player accepts arbitrary addresses in parameter config, which   
allows to spoof content of flash - i.e. by setting address of config file   
from other site (parameters file and image in xml-file accept arbitrary   
addresses). For loading of config file from other site it needs to have   
crossdomain.xml.  
  
http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?config=1.xml  
  
1.xml  
  
<config>  
<file>1.flv</file>  
<image>1.jpg</image>  
</config>  
  
Content Spoofing (WASC-12):  
  
http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=http://site  
  
XSS (WASC-08):  
  
http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B  
  
Full path disclosure (WASC-13):  
  
In all these themes there is FPD in index.php   
(http://site/wordpress/wp-content/themes/rt_novus_wp/ and the same for other   
themes), which works at default PHP settings. Also potentially there are FPD   
in other php-files of these themes.  
  
Information Leakage (WASC-13):  
  
In some themes, similar to rt_mixxmag_wp, there can be error log with full   
paths.  
  
http://site/wordpress/wp-content/themes/rt_mixxmag_wp/js/rokbox/error_log  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
  
`