#################################################################### # Exploit Title : TinyMCE JBimages Plugin 3.x JustBoilMe Arbitrary File Upload # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 16/02/2019 # Vendor Homepage : justboil.marketto.ru ~ tiny.cloud # Software Download Link : github.com/28harishkumar/blog/tree/master/public/js/tinymce # Software Information Link : tiny.cloud/docs/plugins/ # Software Affected Version : 3.x /4.x / 5.x and Free Version # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : High # Vulnerability Type : CWE-264 [ Permissions, Privileges, and Access Controls ] # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos # Reference Link : packetstormsecurity.com/files/151677/TinyMCE-JBimages-3.x-JustBoilMe-Arbitrary-File-Upload.html #################################################################### # Description about Software : *************************** One Click Image Upload for TinyMCE JBimages Plugin Version 5 and previous versions. JustBoil.me Images is a simple, elegant image upload plugin for TinyMCE. It is free, opensource and licensed under Creative Commons Attribution 3.0 Unported License. #################################################################### # Impact : *********** TinyMCE JBimages Plugin is prone to a vulnerability that lets attackers upload arbitrary files it fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. Remote attackers can use browsers to exploit and they can request target sites via URL. This issue may allow attackers to place malicious scripts on a server, which can lead to various attacks. #################################################################### # Vulnerable Source Code : [ dialog-v4.htm ] ************************ <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Upload an image</title> <script type="text/javascript" src="js/dialog-v4.js"></script> <link href="css/dialog-v4.css" rel="stylesheet" type="text/css"> </head> <body> <form class="form-inline" id="upl" name="upl" action="ci/index.php?upload/english" method="post" enctype="multipart/form-data" target="upload_target" onsubmit="jbImagesDialog.inProgress();"> <div id="upload_in_progress" class="upload_infobar"><img src="img/spinner.gif" width="16" height="16" class="spinner">Upload in progress&hellip; <div id="upload_additional_info"></div></div> <div id="upload_infobar" class="upload_infobar"></div> <p id="upload_form_container"> <input id="uploader" name="userfile" type="file" class="jbFileBox" onChange="document.upl.submit(); jbImagesDialog.inProgress();"> </p> <p id="the_plugin_name"><a href="http://justboil.me/" target="_blank" title="JustBoil.me &mdash; a TinyMCE Images Upload Plugin">JustBoil.me Images Plugin</a></p> </form> <iframe id="upload_target" name="upload_target" src="ci/index.php?blank"></iframe> </body> </html> #################################################################### # Vulnerable Source Code : [ dialog.htm ] ************************ <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>{#jbimages_dlg.title}</title> <script type="text/javascript" src="../../tiny_mce_popup.js"></script> <script type="text/javascript" src="js/dialog.js"></script> <link href="css/dialog.css" rel="stylesheet" type="text/css"> </head> <body> <form class="form-inline" id="upl" name="upl" action="ci/index.php/upload/{#jbimages_dlg.lang_id}" method="post" enctype="multipart/form-data" target="upload_target" onsubmit="jbImagesDialog.inProgress();"> <h2>{#jbimages_dlg.select_an_image}</h2> <div id="upload_in_progress" class="upload_infobar"><img src="img/spinner.gif" width="16" height="16" class="spinner">{#jbimages_dlg.upload_in_progress}&hellip; <div id="upload_additional_info"></div></div> <div id="upload_infobar" class="upload_infobar"></div> <p id="upload_form_container"> <input id="uploader" name="userfile" type="file" class="jbFileBox" onChange="document.upl.submit(); jbImagesDialog.inProgress();" size="8"> <button type="submit" class="btn">{#jbimages_dlg.upload}</button> </p> <p id="the_plugin_name"><a href="http://justboil.me/" target="_blank" title="JustBoil.me Images - a TinyMCE Images Upload Plugin">JustBoil.me Images Plugin</a></p> <div id="close_link"><a href="#" onclick="tinyMCEPopup.close(); return false;">Close [&times;]</a></div> </form> <iframe id="upload_target" name="upload_target" src="ci/index.php/blank"></iframe> </body> </html> #################################################################### # Arbitrary File Upload Exploits : **************************** /tinymce/plugins/jbimages/dialog.htm /admin/includes/tinymce/js/tinymce/plugins/jbimages/dialog-v4.htm /Administration/Content/tinymce/plugins/jbimages/dialog-v4.htm /js/tinymce/plugins/jbimages/dialog-v4.htm /live/_painel/textare/tinymce/plugins/jbimages/dialog-v4.htm /scripts/tinymce/plugins/jbimages/dialog-v4.htm /vendor/tinymce/plugins/jbimages/dialog-v4.htm /user_data/tinymce/plugins/jbimages/dialog-v4.htm /adm/sistema/aplicativo/tinymce/js/tinymce/plugins/jbimages/dialog-v4.htm /app/webroot/js/tinymce/plugins/jbimages/dialog-v4.htm /main/tinymce/js/tinymce/plugins/jbimages/dialog-v4.htm /assets/plugins-new/tinymce/plugins/jbimages/dialog-v4.htm /media/tinymce/plugins/jbimages/dialog-v4.htm /site/public/scripts/tinymce/plugins/jbimages/dialog-v4.htm /king-admin/tinymce/plugins/jbimages/dialog-v4.htm /assets/js/tinymce/plugins/jbimages/dialog-v4.htm /assets/frontend/tinymce/js/tinymce/plugins/jbimages/dialog-v4.htm /assets/includes/tinymce/plugins/jbimages/dialog-v4.htm /lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/jbimages/dialog.htm /ojs/lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/jbimages/dialog.htm /ojsinvestigacion/lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/jbimages/dialog.htm /revista/lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/jbimages/dialog.htm /themes/admin/vendors/bower_components/tinymce/plugins/jbimages/dialog-v4.htm /wp-content/themes/career-grooms/assets/js/tinymce/plugins/jbimages/dialog-v4.htm /wp-content/plugins/Soci_Traffic_Pro/tinymce/js/tinymce/plugins/jbimages/dialog-v4.htm /static/admin/plugin/tinymce/plugins/jbimages/dialog-v4.htm /extras/admin/js/tiny_mce/plugins/jbimages/dialog.htm /tinymce/plugins/jbimages/dialog-v4.htm /system/js/libs/tiny_mce/plugins/jbimages/dialog.htm /ressources/js/tinymce/plugins/jbimages/dialog-v4.htm /admin.[DOMAIN-ADRESS-HERE].com/app/template/js/tinymce/plugins/jbimages/dialog-v4.htm /data/control/js/tinymce/plugins/jbimages/dialog-v4.htm /js/vendor/tinymce/plugins/jbimages/dialog-v4.htm /text_editor/jscripts/tiny_mce/plugins/jbimages/dialog.htm /public/js/tiny_mce/plugins/jbimages/dialog.htm /cms/assets/js/tiny_mce/plugins/jbimages/dialog.htm /assets/bower_components/tinymce/plugins/jbimages/dialog-v4.htm /content/admin/javascript/tinymce/plugins/jbimages/ /preview/assets/admin/tinymce/plugins/jbimages/dialog-v4.htm /content/tinymce/plugins/jbimages/dialog-v4.htm /public/webroot/js/tinymce/plugins/jbimages/dialog-v4.htm /vendor/tinymce/plugins/jbimages/dialog-v4.htm /sapred/bibliotecas/tinymce/js/tinymce/plugins/jbimages/dialog-v4.htm /assets/backend/tinymce/plugins/jbimages/dialog-v4.htm /media/tinymce/plugins/jbimages/dialog-v4.htm /loja/app/webroot/js/tinymce/plugins/jbimages/dialog-v4.htm /httpdocs-bak/httpdocs/tinymce/plugins/jbimages/dialog-v4.htm /nextgest/assets/js/tinymce/plugins/jbimages/dialog-v4.htm /assets/tinymce/plugins/jbimages/dialog-v4.htm /public/content/tinymce/plugins/jbimages/dialog-v4.htm /apps/ownnote/js/tinymce/plugins/jbimages/dialog-v4.htm /common/admin/js/tinymce/plugins/jbimages/dialog-v4.htm /socialDev1/externals/tinymce/plugins/jbimages/dialog-v4.htm /kutaibarat/js/tinymce/plugins/jbimages/dialog-v4.htm /v02/assets/js/tinymce/plugins/jbimages/dialog-v4.htm /Lukas/js/tinymce/plugins/jbimages/dialog-v4.htm /Lukas/js/tinymce/plugins/jbimages/dialog.htm /3adminp/js/tinymce/plugins/jbimages/dialog-v4.htm /content/tinymce/plugins/jbimages/dialog-v4.htm /view/js/tinymce/js/tinymce/plugins/jbimages/dialog-v4.htm /ieee-cis/assets/tinymce/plugins/jbimages/dialog-v4.htm /resources_xt/FW/scripts/tinymce-4.2.6/plugins/jbimages/dialog-v4.htm /store/lib/tinymce/jscripts/tiny_mce/plugins/jbimages/dialog-v4.htm /wp-includes/js/tinymce/plugins/jbimages/dialog-v4.htm /engine/application/views/admin/template/resources/js/tinymce/plugins/jbimages/dialog-v4.htm /w3skills/editor/plugins/jbimages/dialog-v4.htm /web/utils/templates/tinymce/js/tinymce/plugins/jbimages/dialog-v4.htm /plugins/tiny_mce/plugins/jbimages/dialog-v4.htm /application/views/admin/assets/js/TinyMCE/tiny_mce/plugins/jbimages/dialog.htm /site/assets/grocery_crud/texteditor/tiny_mce/plugins/jbimages/dialog-v4.htm /site/assets/grocery_crud/texteditor/tiny_mce/plugins/jbimages/dialog.htm /App_Themes/Homevestors/Libs/js/tinymce4.7/plugins/jbimages/dialog.htm /admin/inc/tiny_mce/plugins/jbimages/dialog.htm #################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ####################################################################