Joomla Themes Cross Site Scripting / Denial Of Service

2011-04-24T00:00:00
ID PACKETSTORM:100805
Type packetstorm
Reporter MustLive
Modified 2011-04-24T00:00:00

Description

                                        
                                            `Hello list!  
  
I want to warn you about Cross-Site Scripting, Full path disclosure, Abuse  
of Functionality and Denial of Service vulnerabilities in multiple themes  
and components for Joomla.  
  
-------------------------  
Affected products:  
-------------------------  
  
Similarly to vulnerabilities in multiple themes for WordPress, Drupal and  
ExpressionEngine, also the next themes and components for Joomla are  
vulnerable: theme PBV MULTI VirtueMart Theme for component VirtueMart,  
component Registration and component Handy Photo Album.  
  
Vulnerable are versions of these themes and components with TimThumb 1.24  
and previous versions. In particular vulnerable are PBV MULTI VirtueMart  
Theme 1.0.5 and previous versions, Registration 1.0.0 and Handy Photo Album  
1.0.1 and previous versions. Beside these ones there are many other  
vulnerable themes and components for Joomla. The name of affected script can  
be timthumb.php or thumb.php.  
  
----------  
Details:  
----------  
  
Cross-Site Scripting (WASC-08), Full path disclosure (WASC-13), Abuse of  
Functionality (WASC-42) and Denial of Service (WASC-10) vulnerabilities are  
similar to those in earlier mentioned themes for WordPress, Drupal and  
ExpressionEngine. Because these themes and components contain TimThumb,   
about vulnerabilities in which I wrote earlier  
(http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080258.html).  
  
Theme PBV MULTI VirtueMart Theme for component VirtueMart for Joomla:  
  
Full path disclosure (WASC-13):  
  
http://site/components/com_virtuemart/themes/pbv_multi/scripts/timthumb.php?src=http://  
  
Vulnerable to Full path disclosure, Abuse of Functionality and DoS. In case  
of AoF and DoS the access is possible only to current and allowed sites.  
  
Component Registration, which is part of Joomla:  
  
XSS (WASC-08):  
  
http://site/components/com_registration/script/timthumb.php?src=1%3Cbody%20onload=alert(document.cookie)%3E  
  
Vulnerable to XSS, Full path disclosure, Abuse of Functionality and DoS.  
  
Component Handy Photo Album for Joomla:  
  
XSS (WASC-08):  
  
http://site/components/com_hpalbum/timthumb.php?src=1%3Cbody%20onload=alert(document.cookie)%3E  
  
Vulnerable to XSS, Full path disclosure, Abuse of Functionality and DoS.  
  
------------  
Timeline:  
------------  
  
2011.02.08 - informed developer of TimThumb.  
2011.02.13 - developer of TimThumb released version 1.25.  
2011.04.22 - disclosed at my site about vulnerabilities in multiple themes  
and components for Joomla.  
2011.04.23 - informed developers of Joomla and developers of mentioned theme  
and components (if they still haven't updated from 13th of February).  
  
I mentioned about these vulnerabilities at my site  
(http://websecurity.com.ua/5102/).  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua  
  
`