lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <005f01cc090a$b3d49c40$0201a8c0@ml>
Date: Mon, 2 May 2011 23:50:42 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: Vulnerabilities in multiple themes for
	ExpressionEngine (update)

Hello list!

It's additional information concerning vulnerabilities in multiple themes 
for ExpressionEngine, which I informed earlier.

Recently Bjorn Borresen, author of ports of WooThemes' themes for 
ExpressionEngine (which was hired by WooThemes for porting their themes for 
this engine), informed me that he made his own version of TimThumb for using 
in EE named Teemthumb. And in this version of web application other 
approaches are used, which makes it immune to this attacks. Which I checked 
after looking to its code (the parameters are passing to the script only in 
code of the templates, i.e. attacks via GET parameters are not possible).

Taking into account that I contacted WooThemes at 6th of March concerning 
their themes for other engines beside WP and they agreed with me (and thus 
confirmed that these themes are vulnerable) and told me nothing that in any 
of their themes non original versions of TimThumb are used, then this 
inaccuracy I leave on their conscience.

So mentioned themes for EE are not vulnerable directly to these attacks, 
unlike mentioned by me themes for WordPress, Drupal and Joomla (and also 
components for Joomla). But these themes for EE can be attacked locally, at 
access to theme editing (so I've gave additional recommendations to the 
author). All other themes for EE, which are using original TimThumb, will be 
vulnerable.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ