what you don't know can hurt you

WordPress Roomcloud 1.1 Cross Site Scripting

WordPress Roomcloud 1.1 Cross Site Scripting
Posted May 11, 2015
Authored by Nitin Venkatesh

WordPress Roomcloud plugin version 1.1 suffers from a cross site scripting vulnerability.

tags | exploit, xss
MD5 | f2033c006583818059b45b6d88183298

WordPress Roomcloud 1.1 Cross Site Scripting

Change Mirror Download
## Details

# Title: Unsanitized parameters in Wordpress Roomcloud plugin v1.1(rev
@1115307) allows Cross-site Scripting
# Submitter: Nitin Venkatesh <venkatesh [dot] nitin [at] gmail [dot] com>
# Product: Wordpress Roomcloud plugin
# Product URL: https://wordpress.org/plugins/roomcloud
# Vulnerability Type: Cross-site Scripting [CWE-79]
# Affected Versions: Tested on v1.1 (revision @1115307)
# Fixed Version: v1.1 (revision @1117499)
# Link to source code diff:
https://plugins.trac.wordpress.org/changeset/1117499
# CVE Status: None/Unassigned/Fresh

## Product Information

A Plugin to add roomcloud booking form to hotel website using [roomcloud]
shortcode

Use Roomcloud plugin to embed our Booking Engine form into your wordpress
site.
This allows your customers to make online reservations on the web site of
your hotel.
More info at http://www.roomcloud.net

## Vulnerability Description

Unsantized POST parameters are susceptible to XSS in the roomcloud.php file
viz., (1)pin, (2)start_day, (3)start_month, (4)start_year, (5)end_day,
(6)end_month, (7)end_year, (8)lang, (9)adults, (10)children

## Vulnerable Source Code

39 echo('<iframe width="800" height="600" src="');
40
41 echo('
http://www.roomcloud.net/be/se1/hotel.jsp?hotel='.$_POST['hotel'].'&pin='.$_POST['pin'].'&start_day='.$_POST['start_day'].'&start_month='.$_POST['start_month'].'&start_year='.$_POST['start_year'].'&end_day='.$_POST['end_day'].'&end_month='.$_POST['end_month'].'&end_year='.$_POST['end_year'].'&r=1&a=1&lang='.$_POST['lang'].'&t=0&n=0&adults='.$_POST['adults'].'&children='.$_POST['children'].$chlda
);
42
43 echo('"></iframe>');

## Proof of Concept

Sample exploit POST request body:

hotel=144&lang=en&start_day="><script>alert(1);</script>&start_month=03&start_year=2015&end_day=20&end_month=03&end_year=2015&adults=2&pin=&children=

## Solution:

Upgrade to latest version of the plugin.

## Disclosure Timeline:

2015-03-19 - Informed developer in support forums for the plugin & mailed
Wordpress plugins team
2015-03-21 - Plugin disabled for download by Wordpress team
2015-03-21 - Contacted developer via email
2015-03-21 - Vulnerability fixed by developer
2015-03-22 - Agreed to public disclosure on/after May 5, 2015
2015-03-23 - Wordpress Plugins team re-enables download page
2015-05-09 - Publishing disclosure on FD mailing list.

## Disclaimer:

This disclosure is purely meant for educational purposes. I will in no way
be responsible as to how the information in this disclosure is used.


Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    1 Files
  • 17
    Jan 17th
    2 Files
  • 18
    Jan 18th
    20 Files
  • 19
    Jan 19th
    32 Files
  • 20
    Jan 20th
    15 Files
  • 21
    Jan 21st
    10 Files
  • 22
    Jan 22nd
    16 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close