Full Disclosure mailing list archives
Wordpress Roomcloud plugin v1.1(rev @1115307) XSS vulnerability
From: Nitin Venkatesh <venkatesh.nitin () gmail com>
Date: Sat, 09 May 2015 05:45:40 +0000
## Details # Title: Unsanitized parameters in Wordpress Roomcloud plugin v1.1(rev @1115307) allows Cross-site Scripting # Submitter: Nitin Venkatesh <venkatesh [dot] nitin [at] gmail [dot] com> # Product: Wordpress Roomcloud plugin # Product URL: https://wordpress.org/plugins/roomcloud # Vulnerability Type: Cross-site Scripting [CWE-79] # Affected Versions: Tested on v1.1 (revision @1115307) # Fixed Version: v1.1 (revision @1117499) # Link to source code diff: https://plugins.trac.wordpress.org/changeset/1117499 # CVE Status: None/Unassigned/Fresh ## Product Information A Plugin to add roomcloud booking form to hotel website using [roomcloud] shortcode Use Roomcloud plugin to embed our Booking Engine form into your wordpress site. This allows your customers to make online reservations on the web site of your hotel. More info at http://www.roomcloud.net ## Vulnerability Description Unsantized POST parameters are susceptible to XSS in the roomcloud.php file viz., (1)pin, (2)start_day, (3)start_month, (4)start_year, (5)end_day, (6)end_month, (7)end_year, (8)lang, (9)adults, (10)children ## Vulnerable Source Code 39 echo('<iframe width="800" height="600" src="'); 40 41 echo(' http://www.roomcloud.net/be/se1/hotel.jsp?hotel='.$_POST['hotel'].'&pin='.$_POST['pin'].'&start_day='.$_POST['start_day'].'&start_month='.$_POST['start_month'].'&start_year='.$_POST['start_year'].'&end_day='.$_POST['end_day'].'&end_month='.$_POST['end_month'].'&end_year='.$_POST['end_year'].'&r=1&a=1&lang='.$_POST['lang'].'&t=0&n=0&adults='.$_POST['adults'].'&children='.$_POST['children'].$chlda ); 42 43 echo('"></iframe>'); ## Proof of Concept Sample exploit POST request body: hotel=144&lang=en&start_day="><script>alert(1);</script>&start_month=03&start_year=2015&end_day=20&end_month=03&end_year=2015&adults=2&pin=&children= ## Solution: Upgrade to latest version of the plugin. ## Disclosure Timeline: 2015-03-19 - Informed developer in support forums for the plugin & mailed Wordpress plugins team 2015-03-21 - Plugin disabled for download by Wordpress team 2015-03-21 - Contacted developer via email 2015-03-21 - Vulnerability fixed by developer 2015-03-22 - Agreed to public disclosure on/after May 5, 2015 2015-03-23 - Wordpress Plugins team re-enables download page 2015-05-09 - Publishing disclosure on FD mailing list. ## Disclaimer: This disclosure is purely meant for educational purposes. I will in no way be responsible as to how the information in this disclosure is used. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Wordpress Roomcloud plugin v1.1(rev @1115307) XSS vulnerability Nitin Venkatesh (May 08)