mailing list archives
Vulnerabilities in multiple themes for WordPress with jPlayer
From: "MustLive" <mustlive () websecurity com ua>
Date: Wed, 24 Apr 2013 23:52:39 +0300
I want to inform you about multiple vulnerabilities in multiple themes for
WordPress with jPlayer. These are Cross-Site Scripting, Content Spoofing and
Full path disclosure vulnerabilities.
I've wrote about vulnerabilities in jPlayer earlier
(http://seclists.org/fulldisclosure/2013/Apr/192). jPlayer is used in
multiple web applications and particularly in multiple plugins (as I've
wrote earlier) and themes for WordPress. And in WP themes even more then in
plugins - there are many thousands of vulnerable themes (these are free,
commercial and custom themes). Plus there are many web sites which placed
Jplayer.swf in other folders besides plugins and themes. Google dork for
jPlayer shows 32000 results and for WP themes with it shows 313000
Among them are Studiozen, Photocrati, Music, Imperial Fairytale and
Feather12. And thousands of other themes (see Google dork). All developers
of these themes, the same as developers of all other web applications with
jPlayer, need to update it in their software.
All versions of Studiozen, Photocrati, Music, Imperial Fairytale and
Vulnerabilities are in jPlayer versions before 2.2.23. Version 2.2.23 and
the last released version 2.3.0 are not vulnerable to mentioned XSS, except
CS via JS and XSS via JS callbacks. Also there are other bypass methods
which work in version 2.3.0, but the developers haven't fixed them besides
attack via alert. About that I've wrote to developers already in March and
reminded again. So wait for new version with fixing of these
Cross-Site Scripting (WASC-08):
In different versions of jPlayer there are different XSS vulnerabilities
(see in the first advisory) and different WP themes has different versions
Content Spoofing (WASC-12):
It's possible to conduct CS (inclusion of audio/video files from external
resources) via JS and XSS via JS callbacks. This requires HTML Injection
vulnerability at the site. The attack is similar to XSS attacks via
callbacks in JW Player (http://securityvulns.ru/docs28176.html).
Because this attack vector requires separate vulnerability at target site to
conduct CS and XSS attacks with using of jPlayer, the developers didn't do
anything to fix it. The same as developers JW Player. So protection from
this attack scenario lies solely on web sites owners.
Full path disclosure (WASC-13):
All mentioned themes have FPD vulnerabilities in php-files (in index.php and
others), which is typically for WP themes.
2013.03.19 - informed developers of jPlayer.
2013.04.20 - developers released jPlayer 2.3.0
(http://www.jplayer.org/2.3.0/release-notes/) and informed me.
2013.04.21 - informed multiple developers of WordPress plugins and other
software with jPlayer.
Best wishes & regards,
Administrator of Websecurity web site
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Vulnerabilities in multiple themes for WordPress with jPlayer MustLive (Apr 24)