Follow

11/13/17: Joomla TinyMCE Tinybrowser Unrestricted File Upload | Security Bulletin

Threat Summary

Overview

The tinybrowser of TinyMCE is an embedded Flash player application that handles the upload and editing of files. This functionality is accessible from outside the Joomla site by unauthorized users and allows the arbitrary uploading and renaming of files leading to remote code execution with PHP.

Exploitation

 

Stages

  1. The attacker sends an unauthorized HTTP GET request directly to the Joomla Tinybrowser upload.php to retrieve the obfuscation code.
  2. The attacker sends an HTTP POST request to upload_file.php with the obfuscation code and PHP file with an acceptable file extension.
  3. The attacker sends an HTTP POST request to edit.php with rename action to change the file extension to php.
  4. The attacker accesses the uploaded PHP file in /images/stories/ and achieves PHP RCE on the server.

Prerequisites

The attacker must be able to contact the victim host with crafted packets.

Vulnerability Description

The Joomla 1.5.12 installation comes with the TinyMCE editor plugin, providing a fully featured editor. The tinybrowser of TinyMCE is an embedded Flash player application that handles the upload and editing of files. This functionality is accessible from outside the Joomla site by unauthorized users and allows the arbitrary uploading and renaming of files leading to RCE with PHP.

Alert Logic Coverage

Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.

The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.

Recommendations for Mitigation

Update the software to a non-vulnerable version.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.