0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WordPress Colormix theme XSS / Full path disclosure Vulnerability
Last year I've disclosed vulnerabilities in JW Player and in RokBox. Which were fixed by the developers - JW Player developers fixed one hole and promised to fix others later and RokBox fixed all holes (but it was questionable how they fixed holes related to JW Player). In December I've wrote about 47 RocketTheme's themes for WordPress (which contain RokBox). Besides their themes I've found in December similar vulnerabilities in multiple themes of other developers (including custom themes). Now I'll inform you about multiple vulnerabilities in Colormix theme for WordPress. These are Cross-Site Scripting, Content Spoofing and Full path disclosure vulnerabilities. ------------------------- Affected products: ------------------------- Affected all versions of Colormix theme for WordPress. Other themes of this developer can be vulnerable as well. ------------------------- Affected vendors: ------------------------- Wordpress Themes Park http://www.wordpressthemespark.com ---------- Details: ---------- XSS (WASC-08): http://site/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B Content Spoofing (WASC-12): In parameter file there can be set as video, as audio files. Swf-file of JW Player accepts arbitrary addresses in parameters file and image, which allows to spoof content of flash - i.e. by setting addresses of video (audio) and/or image files from other site. http://site/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF http://site/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&image=1.jpg Content Spoofing (WASC-12): Swf-file of JW Player accepts arbitrary addresses in parameter config, which allows to spoof content of flash - i.e. by setting address of config file from other site (parameters file and image in xml-file accept arbitrary addresses). For loading of config file from other site it needs to have crossdomain.xml. http://site/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?config=1.xml 1.xml <config> <file>1.flv</file> <image>1.jpg</image> </config> Content Spoofing (WASC-12): http://site/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=http://site Full path disclosure (WASC-13): There are FPD In folder http://site/wp-content/themes/colormix/ in index.php and many other php-files of theme. ------------ Timeline: ------------ 2012.05.29 - informed developers of JW Player. 2012.08.18 - informed developers about new holes in JW Player Pro. 2012.08.28 - informed developers of Rokbox. 2012.12.14 - disclosed at my site about Rokbox. 2012.12.23 - disclosed to the lists the first part of vulnerable themes by RocketTheme for WordPress. 2012.12.30 - disclosed to the lists the second part of vulnerable themes by RocketTheme for WordPress. 2013.04.18 - disclosed at my site about Colormix theme (http://websecurity.com.ua/6457/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua # 0day.today [2024-10-06] #