lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <004601cc0929$c0b97330$0201a8c0@ml>
Date: Tue, 3 May 2011 03:33:09 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: Vulnerabilities in theme Magazeen для WordPress and Dotclear

Hello list!

I want to warn you about Cross-Site Scripting, Full path disclosure, Abuse
of Functionality and Denial of Service vulnerabilities in theme Magazeen for
WordPress and Dotclear.

SecurityVulns ID: 11635.

-------------------------
Affected products:
-------------------------

Similarly to vulnerabilities in multiple themes for WordPress, Drupal,
ExpressionEngine and Joomla, also theme Magazeen for WordPress and Dotclear
is vulnerable. Just as earlier-mentioned themes for WordPress and other
engines, similarly other themes for Dotclear can be vulnerable (at using of
TimThumb).

Vulnerable are versions of theme Magazeen (1.0 and next) for WP and DC with
TimThumb 1.24 and previous versions.

----------
Details:
----------

Cross-Site Scripting (WASC-08), Full path disclosure (WASC-13), Abuse of
Functionality (WASC-42) and Denial of Service (WASC-10) vulnerabilities are
similar to those in earlier mentioned themes for WordPress, Drupal,
ExpressionEngine and Joomla. Because these themes contain TimThumb, about
vulnerabilities in which I wrote earlier
(http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080258.html).

For WordPress:

XSS (WASC-08):

http://site/wp-content/themes/magazeen/timthumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E

For Dotclear:

XSS (WASC-08):

http://site/themes/magazeen%5Bdc2%5D/timthumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E

Both versions of this theme are vulnerable to XSS, Full path disclosure,
Abuse of Functionality and DoS.

------------
Timeline:
------------

2011.02.08 - informed developer of TimThumb.
2011.02.13 - developer of TimThumb released version 1.25.
2011.04.30 - disclosed at my site about vulnerabilities in theme Magazeen.
2011.05.01 - informed both developers of theme Magazeen for WP and for DC 
(if they still haven't updated from 13th of February).

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/5120/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ