Wordpress plug-in zingsiri Web Shop & lt; = 2.4.0 Multiple xss Problems

Wordpress zingsiri Web Shop Plugin <= 2.4.0 Multiple XSS Vulnerabilities
 
Author: Mehmet Ince www.2cto.com
Author: http://www.zingiri.com
Affected Versions: 2.3.0 and 2.4.0 have been tested
Title: Wordpress zingsiri Web Shop Plugin <= 2.4.0 Multiple XSS Vulnerabilities
: Http://downloads.wordpress.org/plugin/zingiri-web-shop.2.4.0.zip
Affected Versions: 2.4.0 and older.
Test Platform: version of 2.3.0 and 2.4.0 with Ubuntu 11.10 Server with Firefox browser.
######################################## ######################################
/*
# BASIC XSS
PS: unauthenticated execution
 
Plugins/zingsiri-web-shop/zing. inc. php
 
Line at 401.
 
If ($ process = 'content' & $ page! = 'Ajax '& $ page! = 'Downldr') echo '<div
Class = "zing_ws_page" id = "zing_ws _ '. $ _ GET ['page'].'"> ';
 
Test:
Http://www.bkjia.com/wordpress /? Page = % 22% 3E % 3 Cscript % 3 Ealert % 28document. cookie % 29% 3C/script % 3E
 
'Page' variable isn' t properly sanitized before being used.
 
 
# Stored XSS
PS: Attacker shoshould be logged for exploit.
./Fws/pages-front/onecheckout. php
 
Line 27-29
If (! Empty ($ _ POST ['note']) {
$ Notes =$ _ POST ['note'];
}
 
And line 348
<Textarea name = "notes" rows = "5" style = "width: 100%"> <? Php echo
$ Notes;?> & Lt;/textarea & gt; <br/>
 
'Note' variable isn' t properly sanitized before being used.
 
That's very basic XSS vulnerabilities. But you dont need use fishing attack
To target webpage's administrator. That application insert datas
Database with that form. After your malicious code posted up, your
When Crip code inserted to database with $ _ POST ['note'] variable. When
Administrator wanna see list of ordered items list. Javascript codes will
Come from database and start working on Authenticated admin user side.
After that You can use browser keylogger with BT5 tools or can usee cookie
Grabber.
*/
 
Step 1: Login to wordpress.
 
Step 2: Go to "Shop" menu. It's shoshould be stay at banner.
 
Http: // 6.6.6.102/wordpress /? Page_id = 14
 
Step 3: Than you'll see list ot items. Click one of them.
 
Http: // 6.6.6.102/wordpress /? Page = details & prod = 2 & cat = 1 & page_id = 14
 
Step 4: You can pass that form action. That wont be problem ..! Click
"Order" button.
 
Step 5: There is confirmation about the Shopping. Click "checkout" to pass
That page.
 
Step 6: It's final stage. Put you javascript payload to "Additional
Comments/questions "form. After you click checkout button, that form will
Get all of these input data with POST method.
 
Step 7: Click to "Checkout"