
Full Disclosure mailing list archives
Vulnerabilities in multiple themes for ExpressionEngine
From: "MustLive" <mustlive () websecurity com ua>
Date: Wed, 20 Apr 2011 20:06:49 +0300
Hello list! I want to warn you about Cross-Site Scripting, Full path disclosure, Abuse of Functionality and Denial of Service vulnerabilities in multiple themes for ExpressionEngine. SecurityVulns ID: 11601. ------------------------- Affected products: ------------------------- Vulnerable are the next commercial themes (by WooThemes) for ExpressionEngine: Fresh News, Inspire, City Guide, Delegate, Optimize, Bueno, Headlines, Daily Edition, Coffee Break, The Station, Over Easy. Vulnerable are versions of these themes with TimThumb 1.24 and previous versions. Besides these themes from WooThemes also can be vulnerable other themes for ExpressionEngine (with TimThumb) from other developers. The name of affected script in the themes can be thumb.php or other. ---------- Details: ---------- Cross-Site Scripting (WASC-08), Full path disclosure (WASC-13), Abuse of Functionality (WASC-42) and Denial of Service (WASC-10) vulnerabilities are similar to those in earlier mentioned 90 themes for WordPress and 10 themes for Drupal. Because these themes contain TimThumb, about vulnerabilities in which I wrote earlier (http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080258.html). Developers of themes for ExpressionEngine, like developers of themes for WordPress, Drupal and other engines need to take it into account and attend to security of their themes. ------------ Timeline: ------------ 2011.02.01 - informed developers from WooThemes about holes in their themes for WordPress. 2011.03.06 - reminded developers from WooThemes that these holes also exist in their themes for other engines. 2011.03.08 - announced at my site. 2011.04.19 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/4985/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Vulnerabilities in multiple themes for ExpressionEngine MustLive (Apr 20)