| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 23 May 2011 18:15:40 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk> Subject: FPD and XSS vulnerabilities in Easy Contact for WordPress Hello list! I want to warn you about Full path disclosure and Cross-Site Scripting vulnerabilities in plugin Easy Contact for WordPress. ------------------------- Affected products: ------------------------- Vulnerable are Easy Contact 0.1.2 and previous versions. ---------- Details: ---------- Full path disclosure (WASC-13): http://site/wp-content/plugins/easy-contact/econtact.php http://site/wp-content/plugins/easy-contact/econtact-menu.php XSS (WASC-08): At plugin's options page there are 6 persistent XSS. But there is protection against CSRF in the form, so it's needed to use another XSS for placing of the code (e.g. one of reflected XSS in this plugin), for bypassing of this protection and placing of attacking code in plugin's options. POST request at page http://site/wp-admin/options-general.php?page=easy-contact/econtact-menu.php <script>alert(document.cookie)</script> (in WordPress 2.6.2) <img src=javascript:alert(document.cookie)> (in WordPress 2.9.2, where built-in filters were improved, which is used by this plugin) In fields: Intro, Success, Empty, Incorrect, Invalid Email, Malicious. The code will execute at page with contact form: in case of field Intro - at visiting of this page, in case of other fields - at corresponding events. ------------ Timeline: ------------ 2011.04.02 - announced at my site. 2011.04.05 - informed developers. 2011.05.21 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/5059/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists