Hello list! I want to warn you about Cross-Site Scripting, Full path disclosure, Abuse of Functionality and Denial of Service vulnerabilities in multiple themes for Drupal. ------------------------- Affected products: ------------------------- Vulnerable are the next commercial themes (by WooThemes) for Drupal: Fresh News, Inspire, Spectrum, Delegate, Optimize, Bueno, Headlines, Daily Edition, Coffee Break, The Gazette Edition. Vulnerable are versions of these themes with TimThumb 1.24 and previous versions. Besides these themes from WooThemes also can be vulnerable other themes for Drupal (with TimThumb) from other developers (and there are many such themes). If in themes from WooThemes the file called thumb.php, then in other themes other file names can be used, timthumb.php in particular. ---------- Details: ---------- Cross-Site Scripting (WASC-08), Full path disclosure (WASC-13), Abuse of Functionality (WASC-42) and Denial of Service (WASC-10) vulnerabilities are similar to those in earlier mentioned 90 themes for WordPress from two developers. Because these themes contain TimThumb, about vulnerabilities in which I wrote earlier (http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080258.html). ------------ Timeline: ------------ 2011.02.01 - informed developers from WooThemes about holes in their themes for WordPress. 2011.03.05 - announced at my site. 2011.03.06 - reminded developers from WooThemes that these holes also exist in their themes for other engines. 2011.04.16 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/4982/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua