SecurityvulnsSECURITYVULNS:DOC:29314Vulnerabilities in multiple themes for WordPress with jPlayer
Hello 3APA3A!
I want to inform you about multiple vulnerabilities in multiple themes for WordPress with jPlayer. These are Cross-Site Scripting, Content Spoofing and Full path disclosure vulnerabilities.
I've wrote about vulnerabilities in jPlayer earlier (http://seclists.org/fulldisclosure/2013/Apr/192). jPlayer is used in multiple web applications and particularly in multiple plugins (as I've wrote earlier) and themes for WordPress. And in WP themes even more then in plugins - there are many thousands of vulnerable themes (these are free, commercial and custom themes). Plus there are many web sites which placed Jplayer.swf in other folders besides plugins and themes. Google dork for jPlayer shows 32000 results and for WP themes with it shows 313000 (inurl:Jplayer.swf inurl:/wp-content/themes/).
Among them are Studiozen, Photocrati, Music, Imperial Fairytale and Feather12. And thousands of other themes (see Google dork). All developers of these themes, the same as developers of all other web applications with jPlayer, need to update it in their software.
Affected products:
All versions of Studiozen, Photocrati, Music, Imperial Fairytale and Feather12 themes.
Vulnerabilities are in jPlayer versions before 2.2.23. Version 2.2.23 and the last released version 2.3.0 are not vulnerable to mentioned XSS, except CS via JS and XSS via JS callbacks. Also there are other bypass methods which work in version 2.3.0, but the developers haven't fixed them besides attack via alert. About that I've wrote to developers already in March and reminded again. So wait for new version with fixing of these vulnerabilities.
Details:
Cross-Site Scripting (WASC-08):
In different versions of jPlayer there are different XSS vulnerabilities (see in the first advisory) and different WP themes has different versions of jPlayer.
Studiozen:
http://site/wp-content/themes/studiozen/js/html5player/Jplayer.swf?id=%27))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//
Photocrati:
http://site/wp-content/themes/photocrati-theme/scripts/Jplayer.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//
Music:
http://site/wp-content/themes/music/js/Jplayer.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//
Imperial Fairytale:
Feather12:
http://site/wp-content/themes/feather12/js/Jplayer.swf?jQuery=)}catch(e){}if(!self.a)self.a=!alert(document.cookie)//
http://site/wp-content/themes/feather12/js/Jplayer.swf?id=%27))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//
Content Spoofing (WASC-12):
It's possible to conduct CS (inclusion of audio/video files from external resources) via JS and XSS via JS callbacks. This requires HTML Injection vulnerability at the site. The attack is similar to XSS attacks via callbacks in JW Player (http://securityvulns.ru/docs28176.html).
Because this attack vector requires separate vulnerability at target site to conduct CS and XSS attacks with using of jPlayer, the developers didn't do anything to fix it. The same as developers JW Player. So protection from this attack scenario lies solely on web sites owners.
Full path disclosure (WASC-13):
All mentioned themes have FPD vulnerabilities in php-files (in index.php and others), which is typically for WP themes.
http://site/wp-content/themes/studiozen/
http://site/wp-content/themes/photocrati-theme/
http://site/wp-content/themes/music/
http://site/wp-content/themes/imperial-fairytale/
http://site/wp-content/themes/feather12/
Timeline:
2013.03.19 - informed developers of jPlayer.
2013.04.20 - developers released jPlayer 2.3.0 (http://www.jplayer.org/2.3.0/release-notes/) and informed me.
2013.04.21 - informed multiple developers of WordPress plugins and other software with jPlayer.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua