Hello list!

I want to warn you about Cross-Site Scripting, Full path disclosure, Abuse
of Functionality and Denial of Service vulnerabilities in theme Magazeen for
WordPress and Dotclear.

SecurityVulns ID: 11635.

-------------------------
Affected products:
-------------------------

Similarly to vulnerabilities in multiple themes for WordPress, Drupal,
ExpressionEngine and Joomla, also theme Magazeen for WordPress and Dotclear
is vulnerable. Just as earlier-mentioned themes for WordPress and other
engines, similarly other themes for Dotclear can be vulnerable (at using of
TimThumb).

Vulnerable are versions of theme Magazeen (1.0 and next) for WP and DC with
TimThumb 1.24 and previous versions.

----------
Details:
----------

Cross-Site Scripting (WASC-08), Full path disclosure (WASC-13), Abuse of
Functionality (WASC-42) and Denial of Service (WASC-10) vulnerabilities are
similar to those in earlier mentioned themes for WordPress, Drupal,
ExpressionEngine and Joomla. Because these themes contain TimThumb, about
vulnerabilities in which I wrote earlier
(http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080258.html).

For WordPress:

XSS (WASC-08):

http://site/wp-content/themes/magazeen/timthumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E

For Dotclear:

XSS (WASC-08):

http://site/themes/magazeen%5Bdc2%5D/timthumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E

Both versions of this theme are vulnerable to XSS, Full path disclosure,
Abuse of Functionality and DoS.

------------
Timeline:
------------

2011.02.08 - informed developer of TimThumb.
2011.02.13 - developer of TimThumb released version 1.25.
2011.04.30 - disclosed at my site about vulnerabilities in theme Magazeen.
2011.05.01 - informed both developers of theme Magazeen for WP and for DC 
(if they still haven't updated from 13th of February).

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/5120/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua