Drupal Htmlarea Modules (4.7.x-1.x) Arbitary File Upload Vulnerabilities





# Title: Drupal Htmlarea Modules (4.7.x-1.x) / Arbitary File Upload Vulnerabilities
# Author: Net.Edit0r
# Vendor: https://drupal.org/project/htmlarea
# Software Link: http://ftp.drupal.org/files/projects/htmlarea-4.7.x-1.x-dev.zip
# Version: 4.7.x-1.x (The new version of the module is vulnerable fix)
# Tested on: Linux

- About the Software:

Allows Drupal to use the HTMLArea WYSIWYG formatter to replace text area fields.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) File Upload Vulnerabilities in "/insert_image.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Vulnerable Code Snippet :

every use of drupal_get_path() or url() in insert_image.php creates incorrect paths.

the use of drupal_get_path() in htmlarea.module:

case 'uploadimage':

$popup = drupal_get_path('module', 'htmlarea') .'/plugins/UploadImage/popups/insert_image.php';

$output[] = " editor.registerPlugin('$plugin', '$popup');";

break;

- Proof of concept for Exploitation:

http://Localhost/plugins/UploadImage/popups/insert_image.php

Image URL: /image/view/

1 Response to "Drupal Htmlarea Modules (4.7.x-1.x) Arbitary File Upload Vulnerabilities "