Just checked on two of those themes you wrote (Typebased and NewsPress) and they don't have any test.php file. Did you check them all?
On 4 June 2011 17:17, MustLive <[email protected]> wrote: > Hello list! > > I want to warn you about Information Leakage and Cross-Site Scripting > vulnerabilities in multiple themes for WordPress. > > ------------------------- > Affected products: > ------------------------- > > Vulnerable are the next themes by WooThemes: Live Wire (all three themes > from Live Wire series), Gotham News, Typebased, Blogtheme, VibrantCMS, > Fresh > News, The Gazette Edition, NewsPress, The Station, The Original Premium > News, Flash News, Busy Bee, Geometric. Other vulnerable themes for WP are > possible. > > ---------- > Details: > ---------- > > In different themes there is test.php - script with phpinfo() - which leads > to Information Leakage (disclosure of FPD and other important information > about the server) and XSS (in PHP < 4.4.1, 4.4.3-4.4.6). > > Information Leakage (WASC-13): > > http://site/wp-content/themes/_theme's_name_/includes/test.php > > XSS (WASC-08): > > > http://site/wp-content/themes/_theme's_name_/includes/test.php?a[]=%3Cscript%3Ealert(document.cookie)%3C/script%3E > > For Live Wire the script is placed at address > http://site/wp-content/themes/livewire/includes/test.php, similarly for > other themes. > > ------------ > Timeline: > ------------ > > 2011.04.11 - announced at my site. > 2011.04.12 - informed developers. > 2011.06.04 - disclosed at my site. > > These vulnerabilities are still not fixed by developers. So users of these > themes are need to fix the vulnerabilities manually (e.g. by deleting of > this script). > > I mentioned about these vulnerabilities at my site > (http://websecurity.com.ua/5071/). > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
