FPD and XSS vulnerabilities in Easy Contact for WordPress

["MustLive" <mustlive () websecurity com ua>]

Hello list!

I want to warn you about Full path disclosure and Cross-Site Scripting
vulnerabilities in plugin Easy Contact for WordPress.

-------------------------
Affected products:
-------------------------

Vulnerable are Easy Contact 0.1.2 and previous versions.

----------
Details:
----------

Full path disclosure (WASC-13):

http://site/wp-content/plugins/easy-contact/econtact.php

http://site/wp-content/plugins/easy-contact/econtact-menu.php

XSS (WASC-08):

At plugin's options page there are 6 persistent XSS. But there is
protection against CSRF in the form, so it's needed to use another XSS for
placing of the code (e.g. one of reflected XSS in this plugin), for
bypassing of this protection and placing of attacking code in plugin's
options.

POST request at page
http://site/wp-admin/options-general.php?page=easy-contact/econtact-menu.php

<script>alert(document.cookie)</script> (in WordPress 2.6.2)
<img src=javascript:alert(document.cookie)> (in WordPress 2.9.2, where
built-in filters were improved, which is used by this plugin)

In fields: Intro, Success, Empty, Incorrect, Invalid Email, Malicious.

The code will execute at page with contact form: in case of field Intro - at
visiting of this page, in case of other fields - at corresponding events.

------------
Timeline:
------------

2011.04.02 - announced at my site.
2011.04.05 - informed developers.
2011.05.21 - disclosed at my site.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/5059/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/