__________.__ __ ___ ___ \______ \ | _____ ____ | | __ / | \ ____ | | _/ | \__ \ _/ ___\| |/ / ______ / ~ \/ ___\ | | \ |__/ __ \\ \___| < /_____/ \ Y / /_/ > |______ /____(____ /\___ >__|_ \ \___|_ /\___ / \/ \/ \/ \/ \//_____/ .ORG [+] Info================================================================= # Title: Drupal Htmlarea Modules (4.7.x-1.x) / Arbitary File Upload Vulnerabilities # Author: Net.Edit0r # Contact: Net.Edit0r[at]Att[dot]Net # Vendor: https://drupal.org/project/htmlarea # Software Link: http://ftp.drupal.org/files/projects/htmlarea-4.7.x-1.x-dev.zip # Version: 4.7.x-1.x (The new version of the module is vulnerable fix) # Tested on: Linux - About the Software: Allows Drupal to use the HTMLArea WYSIWYG formatter to replace text area fields. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1) File Upload Vulnerabilities in "/insert_image.php" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Vulnerable Code Snippet : every use of drupal_get_path() or url() in insert_image.php creates incorrect paths. the use of drupal_get_path() in htmlarea.module: case 'uploadimage': $popup = drupal_get_path('module', 'htmlarea') .'/plugins/UploadImage/popups/insert_image.php'; $output[] = " editor.registerPlugin('$plugin', '$popup');"; break; - Proof of concept for Exploitation: http://Localhost/plugins/UploadImage/popups/insert_image.php Image URL: /image/view/ - Credits: #BHG BlackHat Group - Information Security Consultant WebSite : WWW.Black-hg.oRG # Tnx To : Ahmadbady ~ 3H34N ~ G3n3Rall ~ l4tr0d3ctism ~ NoL1m1t ~ MojtabaFbi ~ E2MA3N ~ offender # Iranian HackerZ [Persian Gulf]