Drupal Htmlarea Modules (4.7.x-1.x) Arbitary File Upload Vulnerabilities

2013.05.07
Credit: Net.Edit0r
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

__________.__ __ ___ ___ \______ \ | _____ ____ | | __ / | \ ____ | | _/ | \__ \ _/ ___\| |/ / ______ / ~ \/ ___\ | | \ |__/ __ \\ \___| < /_____/ \ Y / /_/ > |______ /____(____ /\___ >__|_ \ \___|_ /\___ / \/ \/ \/ \/ \//_____/ .ORG [+] Info================================================================= # Title: Drupal Htmlarea Modules (4.7.x-1.x) / Arbitary File Upload Vulnerabilities # Author: Net.Edit0r # Contact: Net.Edit0r[at]Att[dot]Net # Vendor: https://drupal.org/project/htmlarea # Software Link: http://ftp.drupal.org/files/projects/htmlarea-4.7.x-1.x-dev.zip # Version: 4.7.x-1.x (The new version of the module is vulnerable fix) # Tested on: Linux - About the Software: Allows Drupal to use the HTMLArea WYSIWYG formatter to replace text area fields. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1) File Upload Vulnerabilities in "/insert_image.php" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Vulnerable Code Snippet : every use of drupal_get_path() or url() in insert_image.php creates incorrect paths. the use of drupal_get_path() in htmlarea.module: case 'uploadimage': $popup = drupal_get_path('module', 'htmlarea') .'/plugins/UploadImage/popups/insert_image.php'; $output[] = " editor.registerPlugin('$plugin', '$popup');"; break; - Proof of concept for Exploitation: http://Localhost/plugins/UploadImage/popups/insert_image.php Image URL: /image/view/ - Credits: #BHG BlackHat Group - Information Security Consultant WebSite : WWW.Black-hg.oRG # Tnx To : Ahmadbady ~ 3H34N ~ G3n3Rall ~ l4tr0d3ctism ~ NoL1m1t ~ MojtabaFbi ~ E2MA3N ~ offender # Iranian HackerZ [Persian Gulf]

References:

https://drupal.org/project/htmlarea
http://ftp.drupal.org/files/projects/htmlarea-4.7.x-1.x-dev.zip
http://WWW.Black-hg.oRG


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top