Hello list!

I want to warn you about Cross-Site Scripting, Full path disclosure, Abuse
of Functionality and Denial of Service vulnerabilities in multiple themes
and components for Joomla.

-------------------------
Affected products:
-------------------------

Similarly to vulnerabilities in multiple themes for WordPress, Drupal and
ExpressionEngine, also the next themes and components for Joomla are
vulnerable: theme PBV MULTI VirtueMart Theme for component VirtueMart,
component Registration and component Handy Photo Album.

Vulnerable are versions of these themes and components with TimThumb 1.24
and previous versions. In particular vulnerable are PBV MULTI VirtueMart
Theme 1.0.5 and previous versions, Registration 1.0.0 and Handy Photo Album
1.0.1 and previous versions. Beside these ones there are many other
vulnerable themes and components for Joomla. The name of affected script can
be timthumb.php or thumb.php.

----------
Details:
----------

Cross-Site Scripting (WASC-08), Full path disclosure (WASC-13), Abuse of
Functionality (WASC-42) and Denial of Service (WASC-10) vulnerabilities are
similar to those in earlier mentioned themes for WordPress, Drupal and
ExpressionEngine. Because these themes and components contain TimThumb, 
about vulnerabilities in which I wrote earlier
(http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080258.html).

Theme PBV MULTI VirtueMart Theme for component VirtueMart for Joomla:

Full path disclosure (WASC-13):

http://site/components/com_virtuemart/themes/pbv_multi/scripts/timthumb.php?src=http://

Vulnerable to Full path disclosure, Abuse of Functionality and DoS. In case
of AoF and DoS the access is possible only to current and allowed sites.

Component Registration, which is part of Joomla:

XSS (WASC-08):

http://site/components/com_registration/script/timthumb.php?src=1%3Cbody%20onload=alert(document.cookie)%3E

Vulnerable to XSS, Full path disclosure, Abuse of Functionality and DoS.

Component Handy Photo Album for Joomla:

XSS (WASC-08):

http://site/components/com_hpalbum/timthumb.php?src=1%3Cbody%20onload=alert(document.cookie)%3E

Vulnerable to XSS, Full path disclosure, Abuse of Functionality and DoS.

------------
Timeline:
------------

2011.02.08 - informed developer of TimThumb.
2011.02.13 - developer of TimThumb released version 1.25.
2011.04.22 - disclosed at my site about vulnerabilities in multiple themes
and components for Joomla.
2011.04.23 - informed developers of Joomla and developers of mentioned theme
and components (if they still haven't updated from 13th of February).

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/5102/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua