lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <004b01cde21f$1da70100$9b7a6fd5@pc>
Date: Mon, 24 Dec 2012 23:38:39 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>,
	"1337 Exploit DataBase" <mr.inj3ct0r@...il.com>
Subject: Persistent XSS vulnerability in WP-UserOnline

Hello list!

in 2010 I've disclosed multiple vulnerabilities (Cross-Site Scripting and 
Full path disclosure) in WordPress plugin WP-UserOnline 
(http://securityvulns.ru/Ydocument162.html, 
http://seclists.org/fulldisclosure/2010/Jul/8). And recently I've disclosed 
the exploit for persistent XSS vulnerability in WP-UserOnline. It must be 
interesting for those who want to test this vulnerability.

Exploit:

http://websecurity.com.ua/uploads/2012/WP-UserOnline.txt

This perl exploit I've developed at 26.04.2010.

As I've wrote earlier, vulnerable are WP-UserOnline 2.62 and previous 
versions. After my informing the developer released WP-UserOnline 2.70 (at 
07.05.2010). In version 2.70 he fixed XSS, but not Full path disclosure 
vulnerabilities.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ