| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <002a01cbfd2c$9beefbf0$0201a8c0@ml> Date: Sun, 17 Apr 2011 21:22:59 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk> Subject: Vulnerabilities in multiple themes for Drupal Hello list! I want to warn you about Cross-Site Scripting, Full path disclosure, Abuse of Functionality and Denial of Service vulnerabilities in multiple themes for Drupal. ------------------------- Affected products: ------------------------- Vulnerable are the next commercial themes (by WooThemes) for Drupal: Fresh News, Inspire, Spectrum, Delegate, Optimize, Bueno, Headlines, Daily Edition, Coffee Break, The Gazette Edition. Vulnerable are versions of these themes with TimThumb 1.24 and previous versions. Besides these themes from WooThemes also can be vulnerable other themes for Drupal (with TimThumb) from other developers (and there are many such themes). If in themes from WooThemes the file called thumb.php, then in other themes other file names can be used, timthumb.php in particular. ---------- Details: ---------- Cross-Site Scripting (WASC-08), Full path disclosure (WASC-13), Abuse of Functionality (WASC-42) and Denial of Service (WASC-10) vulnerabilities are similar to those in earlier mentioned 90 themes for WordPress from two developers. Because these themes contain TimThumb, about vulnerabilities in which I wrote earlier (http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080258.html). ------------ Timeline: ------------ 2011.02.01 - informed developers from WooThemes about holes in their themes for WordPress. 2011.03.05 - announced at my site. 2011.03.06 - reminded developers from WooThemes that these holes also exist in their themes for other engines. 2011.04.16 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/4982/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists