__________.__ __ ___ ___
\______ \ | _____ ____ | | __ / | \ ____
| | _/ | \__ \ _/ ___\| |/ / ______ / ~ \/ ___\
| | \ |__/ __ \\ \___| < /_____/ \ Y / /_/ >
|______ /____(____ /\___ >__|_ \ \___|_ /\___ /
\/ \/ \/ \/ \//_____/
.ORG
[+] Info=================================================================
# Title: Drupal Htmlarea Modules (4.7.x-1.x) / Arbitary File Upload Vulnerabilities
# Author: Net.Edit0r
# Contact: Net.Edit0r[at]Att[dot]Net
# Vendor: https://drupal.org/project/htmlarea
# Software Link: http://ftp.drupal.org/files/projects/htmlarea-4.7.x-1.x-dev.zip
# Version: 4.7.x-1.x (The new version of the module is vulnerable fix)
# Tested on: Linux
- About the Software:
Allows Drupal to use the HTMLArea WYSIWYG formatter to replace text area fields.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) File Upload Vulnerabilities in "/insert_image.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Vulnerable Code Snippet :
every use of drupal_get_path() or url() in insert_image.php creates incorrect paths.
the use of drupal_get_path() in htmlarea.module:
case 'uploadimage':
$popup = drupal_get_path('module', 'htmlarea') .'/plugins/UploadImage/popups/insert_image.php';
$output[] = " editor.registerPlugin('$plugin', '$popup');";
break;
- Proof of concept for Exploitation:
http://Localhost/plugins/UploadImage/popups/insert_image.php
Image URL: /image/view/
- Credits:
#BHG BlackHat Group - Information Security Consultant
WebSite : WWW.Black-hg.oRG
# Tnx To : Ahmadbady ~ 3H34N ~ G3n3Rall ~ l4tr0d3ctism ~ NoL1m1t ~ MojtabaFbi ~ E2MA3N ~ offender
# Iranian HackerZ [Persian Gulf]