Hello list! I want to warn you about Cross-Site Scripting, Full path disclosure, Abuse of Functionality and Denial of Service vulnerabilities in multiple themes and components for Joomla. ------------------------- Affected products: ------------------------- Similarly to vulnerabilities in multiple themes for WordPress, Drupal and ExpressionEngine, also the next themes and components for Joomla are vulnerable: theme PBV MULTI VirtueMart Theme for component VirtueMart, component Registration and component Handy Photo Album. Vulnerable are versions of these themes and components with TimThumb 1.24 and previous versions. In particular vulnerable are PBV MULTI VirtueMart Theme 1.0.5 and previous versions, Registration 1.0.0 and Handy Photo Album 1.0.1 and previous versions. Beside these ones there are many other vulnerable themes and components for Joomla. The name of affected script can be timthumb.php or thumb.php. ---------- Details: ---------- Cross-Site Scripting (WASC-08), Full path disclosure (WASC-13), Abuse of Functionality (WASC-42) and Denial of Service (WASC-10) vulnerabilities are similar to those in earlier mentioned themes for WordPress, Drupal and ExpressionEngine. Because these themes and components contain TimThumb, about vulnerabilities in which I wrote earlier (http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080258.html). Theme PBV MULTI VirtueMart Theme for component VirtueMart for Joomla: Full path disclosure (WASC-13): http://site/components/com_virtuemart/themes/pbv_multi/scripts/timthumb.php?src=http:// Vulnerable to Full path disclosure, Abuse of Functionality and DoS. In case of AoF and DoS the access is possible only to current and allowed sites. Component Registration, which is part of Joomla: XSS (WASC-08): http://site/components/com_registration/script/timthumb.php?src=1%3Cbody%20onload=alert(document.cookie)%3E Vulnerable to XSS, Full path disclosure, Abuse of Functionality and DoS. Component Handy Photo Album for Joomla: XSS (WASC-08): http://site/components/com_hpalbum/timthumb.php?src=1%3Cbody%20onload=alert(document.cookie)%3E Vulnerable to XSS, Full path disclosure, Abuse of Functionality and DoS. ------------ Timeline: ------------ 2011.02.08 - informed developer of TimThumb. 2011.02.13 - developer of TimThumb released version 1.25. 2011.04.22 - disclosed at my site about vulnerabilities in multiple themes and components for Joomla. 2011.04.23 - informed developers of Joomla and developers of mentioned theme and components (if they still haven't updated from 13th of February). I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/5102/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua