RSS

[EXPLOIT] - TinyMCE on Joomla 1.5.12 RCE upload vulnerability

November 25, 2009

Exploit

Print to PDF

Joomla For those who have not yet upgraded Joomla to the latest version 1.5.15 to point out yet another vulnerability found in earlier versions.

This time it is a Remote Command Execution exploiting a vulnerability that allows to upload files dell'utilizzatissimo TinyMCE that, theoretically, should be prohibited. The vulnerability was discovered by the Italian Luca "Daath" De Fulgentis who explained in detail the 'exploits in his blog .

From the website of Offensive-Security , which will replace the well-known milw0rm , now closed, you can download the exploit that allows PHP to upload any file simply eseguend php exploit by your shell.

As previously mentioned the hack exploits a vulnerability in TinyMCE. This editor uses an array where they are declared file extensions that can not be uploaded but by modifying the HTTP headers you can upload a file with an accepted and then rename the file to make the same TinyMCE.

Obviously there is a system of "security" in the script editor, but unfortunately, it is a simple check of an MD5 hash generated from the concatenation of the absolute path with a variable called "$ tinybrowser ['obfuscate']" which is set default to "s0merand0mjunk! 111" in the file "config_tinybrowser.php" found at the following location:

TinyBrowser

This rather the system of "safety" (or rather, the vulnerability) File "upload_file.php" that verifies the MD5 Hash:


Upload File TinyBrowser

The 'exploits created by Daath once mentioned the "Site victim" first shall bypass this mechanism by performing a Path Disclosure. With this technique you query a file incorrectly so as to show a typical PHP error screen that shows the absolute path of the file in error. Once you have this information you can recreate the MD5 Hash (absolute path + 's0merand0mjunk! 111') through which to launch a HTTP POST to upload files. The file, of course, must have a valid extension, for example, ". Jpg."

Once the upload is done by sending a second query Http data necessary to rename the file to run. "Jpg" (or whatever extension you chose) to. "Php".

At this point you will have a shell on the site and you can perform any action allowed to the user's web site is the victim.

As mentioned at the beginning of Article Always ensure to update to latest releases your web applications! ;)


, , , , , ,
capn3m0

About capn3m0

I am a 28 year old geek, love computer science from the age of 7. Passionate about the web programming languages ​​and computer security. In 2007 he created this site to collect all that I learn every day in my work in an IT Department.

View all posts by capn3m0

2 Responses to "[EXPLOIT] - TinyMCE on Joomla 1.5.12 RCE upload vulnerability"

  1. capn3m0 Says:
    February 12, 2010 at 11:30

    hello

    for a video for the weekend I try to see if someone has already made or if you find the time I do it.

    given that you are interested in this thing I would like to alert you while this other set of holes which are increasingly identified in Tiny MCE Editor

    http://www.exploit-db.com/exploits/11358

    hello

    capn3m0

  2. hello Says:
    February 11, 2010 at 10:27

    Hello feel where I can see a video to get a better idea ...

Leave a Reply

You must be logged in to post a comment.

Improve the web with Nofollow Reciprocity.
Performance Optimization WordPress Plugins by W3 EDGE