WordPress.org

Ready to get started?Download WordPress

Forums

TinyMCE Exploit (3 posts)

  1. supert3d
    Member
    Posted 5 years ago #

    Tonight I came across a bizarre problem. What started out as a puzzle as to why all my sisters images in ZenPhoto were no longer showing led me on a path that ultimately exposed a pretty nasty exploit in an older version of WordPress, more specifically it’s WYSIWYG editor. TinyMCE.

    It turned out that every single PHP page on my sisters domain had been injected with base64 encoded code. After decoding it became quite apparent the eval(base64_encode()) included on every PHP page exploited this file : /blog/wp-includes/js/tinymce/themes/advanced/images/xp/js.php

    I then proceeded to open this file and noted, to my surprise, 1kLOC or more of base64 encoded code. I had to parse it twice to un-encode it and it suddenly became as clear as day that this modified script was responsible for injecting all my PHP files.

    I have since removed WordPress from my sisters domain as she no longer uses it, but let this be a cautionery tale for anyone using an older version of TinyMCE as a WYSIWYG editor. This has nothing to do with the code core of WordPress, as far as I can tell this only affects TinyMCE which WordPress uses.

    I originally posted to this forum which led me to this exploit. The thread may contain additional information in the future, so I’m included a bookmark for reference.

  2. NC@WP
    Member
    Posted 5 years ago #

    Can you identify the version of tinyMCE that was affected? Failing that, which version of WordPress were you running?

  3. supert3d
    Member
    Posted 5 years ago #

    Versioning Info :

    WordPress : Version 2.0
    TinyMCE : Version 2.0 (Extracted from Code)


    function TinyMCE() {
    this.majorVersion = "2";
    this.minorVersion = "0";
    this.releaseDate = "2005-12-01";
    ...
    }

    Interesting comment I found whilst trawling through core code... made me chuckle...

    // "When trying to design a foolproof system,
    // never underestimate the ingenuity of the fools :)" -- Dougal

    source : wp-includes/functions.php

Topic Closed

This topic has been closed to new replies.

About this Topic