TinyMCE JBimages plugin versions 3.x from JustBoilMe suffers from an arbitrary file upload vulnerability.
9b975cf5bb98fdb6ec65718c028992a3
####################################################################
# Exploit Title : TinyMCE JBimages Plugin 3.x JustBoilMe Arbitrary File Upload
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 14/02/2019
# Vendor Homepage : justboil.marketto.ru ~ tiny.cloud
# Software Download Link : github.com/28harishkumar/blog/tree/master/public/js/tinymce
# Software Information Link : tiny.cloud/docs/plugins/
# Software Affected Version : 3.x /4.x / 5.x and Free Version
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : High
# Vulnerability Type : CWE-89 [ Improper Neutralization of
Special Elements used in an SQL Command ('SQL Injection') ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
####################################################################
# Description about Software :
***************************
One Click Image Upload for TinyMCE JBimages Plugin Version 5 and previous versions.
JustBoil.me Images is a simple, elegant image upload plugin for TinyMCE.
It is free, opensource and licensed under Creative Commons Attribution 3.0 Unported License.
####################################################################
# Impact :
***********
TinyMCE JBimages Plugin is prone to a vulnerability that lets attackers upload arbitrary files
it fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and execute it
in the context of the webserver process. This may facilitate unauthorized access
or privilege escalation; other attacks are also possible.
Remote attackers can use browsers to exploit and they can request target sites via URL.
This issue may allow attackers to place malicious scripts on a server, which can lead to various attacks.
####################################################################
# Vulnerable Source Code :
************************
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Upload an image</title>
<script type="text/javascript" src="js/dialog-v4.js"></script>
<link href="css/dialog-v4.css" rel="stylesheet" type="text/css">
</head>
<body>
<form class="form-inline" id="upl" name="upl" action="ci/index.php?upload/english" method="post" enctype="multipart/form-data" target="upload_target" onsubmit="jbImagesDialog.inProgress();">
<div id="upload_in_progress" class="upload_infobar"><img src="img/spinner.gif" width="16" height="16" class="spinner">Upload in progress… <div id="upload_additional_info"></div></div>
<div id="upload_infobar" class="upload_infobar"></div>
<p id="upload_form_container">
<input id="uploader" name="userfile" type="file" class="jbFileBox" onChange="document.upl.submit(); jbImagesDialog.inProgress();">
</p>
<p id="the_plugin_name"><a href="http://justboil.me/" target="_blank" title="JustBoil.me — a TinyMCE Images Upload Plugin">JustBoil.me Images Plugin</a></p>
</form>
<iframe id="upload_target" name="upload_target" src="ci/index.php?blank"></iframe>
</body>
</html>
# Arbitrary File Upload Exploits :
****************************
/tinymce/plugins/jbimages/dialog.htm
/admin/includes/tinymce/js/tinymce/plugins/jbimages/dialog-v4.htm
/Administration/Content/tinymce/plugins/jbimages/dialog-v4.htm
/js/tinymce/plugins/jbimages/dialog-v4.htm
/live/_painel/textare/tinymce/plugins/jbimages/dialog-v4.htm
/scripts/tinymce/plugins/jbimages/dialog-v4.htm
/vendor/tinymce/plugins/jbimages/dialog-v4.htm
/user_data/tinymce/plugins/jbimages/dialog-v4.htm
/adm/sistema/aplicativo/tinymce/js/tinymce/plugins/jbimages/dialog-v4.htm
/app/webroot/js/tinymce/plugins/jbimages/dialog-v4.htm
/main/tinymce/js/tinymce/plugins/jbimages/dialog-v4.htm
/assets/plugins-new/tinymce/plugins/jbimages/dialog-v4.htm
/media/tinymce/plugins/jbimages/dialog-v4.htm
/site/public/scripts/tinymce/plugins/jbimages/dialog-v4.htm
/king-admin/tinymce/plugins/jbimages/dialog-v4.htm
/assets/js/tinymce/plugins/jbimages/dialog-v4.htm
/assets/frontend/tinymce/js/tinymce/plugins/jbimages/dialog-v4.htm
/assets/includes/tinymce/plugins/jbimages/dialog-v4.htm
/lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/jbimages/dialog.htm
/ojs/lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/jbimages/dialog.htm
/ojsinvestigacion/lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/jbimages/dialog.htm
/revista/lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/jbimages/dialog.htm
/themes/admin/vendors/bower_components/tinymce/plugins/jbimages/dialog-v4.htm
/wp-content/themes/career-grooms/assets/js/tinymce/plugins/jbimages/dialog-v4.htm
/wp-content/plugins/Soci_Traffic_Pro/tinymce/js/tinymce/plugins/jbimages/dialog-v4.htm
/static/admin/plugin/tinymce/plugins/jbimages/dialog-v4.htm
/extras/admin/js/tiny_mce/plugins/jbimages/dialog.htm
/tinymce/plugins/jbimages/dialog-v4.htm
/system/js/libs/tiny_mce/plugins/jbimages/dialog.htm
/ressources/js/tinymce/plugins/jbimages/dialog-v4.htm
/admin.[DOMAIN-ADRESS-HERE].com/app/template/js/tinymce/plugins/jbimages/dialog-v4.htm
/data/control/js/tinymce/plugins/jbimages/dialog-v4.htm
/js/vendor/tinymce/plugins/jbimages/dialog-v4.htm
/text_editor/jscripts/tiny_mce/plugins/jbimages/dialog.htm
/public/js/tiny_mce/plugins/jbimages/dialog.htm
/cms/assets/js/tiny_mce/plugins/jbimages/dialog.htm
/assets/bower_components/tinymce/plugins/jbimages/dialog-v4.htm
/content/admin/javascript/tinymce/plugins/jbimages/
/preview/assets/admin/tinymce/plugins/jbimages/dialog-v4.htm
/content/tinymce/plugins/jbimages/dialog-v4.htm
/public/webroot/js/tinymce/plugins/jbimages/dialog-v4.htm
/vendor/tinymce/plugins/jbimages/dialog-v4.htm
/sapred/bibliotecas/tinymce/js/tinymce/plugins/jbimages/dialog-v4.htm
/assets/backend/tinymce/plugins/jbimages/dialog-v4.htm
/media/tinymce/plugins/jbimages/dialog-v4.htm
/loja/app/webroot/js/tinymce/plugins/jbimages/dialog-v4.htm
/httpdocs-bak/httpdocs/tinymce/plugins/jbimages/dialog-v4.htm
/nextgest/assets/js/tinymce/plugins/jbimages/dialog-v4.htm
/assets/tinymce/plugins/jbimages/dialog-v4.htm
/public/content/tinymce/plugins/jbimages/dialog-v4.htm
/apps/ownnote/js/tinymce/plugins/jbimages/dialog-v4.htm
/common/admin/js/tinymce/plugins/jbimages/dialog-v4.htm
/socialDev1/externals/tinymce/plugins/jbimages/dialog-v4.htm
/kutaibarat/js/tinymce/plugins/jbimages/dialog-v4.htm
/v02/assets/js/tinymce/plugins/jbimages/dialog-v4.htm
/Lukas/js/tinymce/plugins/jbimages/dialog-v4.htm
/Lukas/js/tinymce/plugins/jbimages/dialog.htm
/3adminp/js/tinymce/plugins/jbimages/dialog-v4.htm
/content/tinymce/plugins/jbimages/dialog-v4.htm
/view/js/tinymce/js/tinymce/plugins/jbimages/dialog-v4.htm
/ieee-cis/assets/tinymce/plugins/jbimages/dialog-v4.htm
/resources_xt/FW/scripts/tinymce-4.2.6/plugins/jbimages/dialog-v4.htm
/store/lib/tinymce/jscripts/tiny_mce/plugins/jbimages/dialog-v4.htm
/wp-includes/js/tinymce/plugins/jbimages/dialog-v4.htm
/engine/application/views/admin/template/resources/js/tinymce/plugins/jbimages/dialog-v4.htm
/w3skills/editor/plugins/jbimages/dialog-v4.htm
/web/utils/templates/tinymce/js/tinymce/plugins/jbimages/dialog-v4.htm
/plugins/tiny_mce/plugins/jbimages/dialog-v4.htm
/application/views/admin/assets/js/TinyMCE/tiny_mce/plugins/jbimages/dialog.htm
/site/assets/grocery_crud/texteditor/tiny_mce/plugins/jbimages/dialog-v4.htm
/site/assets/grocery_crud/texteditor/tiny_mce/plugins/jbimages/dialog.htm
/App_Themes/Homevestors/Libs/js/tinymce4.7/plugins/jbimages/dialog.htm
/admin/inc/tiny_mce/plugins/jbimages/dialog.htm
####################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
####################################################################