Vulnerabilities in WP-UserOnline for WordPress

["MustLive" <mustlive () websecurity com ua>]

Hello Full-Disclosure!

I want to warn you about security vulnerabilities in plugin WP-UserOnline 
for WordPress.

-----------------------------
Advisory: Vulnerabilities in WP-UserOnline for WordPress
-----------------------------
URL: http://websecurity.com.ua/4177/
-----------------------------
Affected products: WP-UserOnline 2.62 and previous versions.
-----------------------------
Timeline:

26.04.2010 - found vulnerabilities.
30.04.2010 - announced at my site.
01.05.2010 - informed developer.
07.05.2010 - developer released WP-UserOnline 2.70. In version 2.70 the
developer fixed XSS, but not Full path disclosure vulnerabilities.
01.07.2010 - disclosed at my site.
-----------------------------
Details:

These are Cross-Site Scripting and Full path disclosure vulnerabilities.

XSS:

With help of special request to the site it's possbile to conduct XSS 
attack. For this it's needed to send GET request in special way (not in 
browser) to page http://site/?<script>alert(document.cookie)</script>.

This is persistent XSS. Vulnerability appears at page 
http://site/wp-admin/index.php?page=wp-useronline.

Full path disclosure:

http://site/wp-content/plugins/wp-useronline/admin.php

http://site/wp-content/plugins/wp-useronline/widget.php

http://site/wp-content/plugins/wp-useronline/wp-stats.php

http://site/wp-content/plugins/wp-useronline/wp-useronline.php

http://site/wp-content/plugins/wp-useronline/scb/Widget.php

http://site/wp-content/plugins/wp-useronline/scb/load.php

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/