The tinybrowser of TinyMCE is an embedded Flash player application that handles the upload and editing of files. This functionality is accessible from outside the Joomla site by unauthorized users and allows the arbitrary uploading and renaming of files leading to remote code execution with PHP.
Exploitation
Stages
- The attacker sends an unauthorized HTTP GET request directly to the Joomla Tinybrowser upload.php to retrieve the obfuscation code.
- The attacker sends an HTTP POST request to upload_file.php with the obfuscation code and PHP file with an acceptable file extension.
- The attacker sends an HTTP POST request to edit.php with rename action to change the file extension to php.
- The attacker accesses the uploaded PHP file in /images/stories/ and achieves PHP RCE on the server.
Prerequisites
The attacker must be able to contact the victim host with crafted packets.
Vulnerability Description
The Joomla 1.5.12 installation comes with the TinyMCE editor plugin, providing a fully featured editor. The tinybrowser of TinyMCE is an embedded Flash player application that handles the upload and editing of files. This functionality is accessible from outside the Joomla site by unauthorized users and allows the arbitrary uploading and renaming of files leading to RCE with PHP.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Update the software to a non-vulnerable version.
Comments
0 comments
Please sign in to leave a comment.