CVE-2011-4908
Description
TinyBrowser plugin for Joomla! before 1.5.13 allows arbitrary file upload via upload.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<1.5.13+ 1 more
- (no CPE)range: <1.5.13
- (no CPE)range: 1.5.12
Patches
Vulnerability mechanics
Root cause
"Missing file-type validation and unrestricted rename functionality in the TinyBrowser plugin allow arbitrary file upload and subsequent renaming to an executable extension."
Attack vector
An attacker with network access to the Joomla! instance sends a multipart POST request to `upload_file.php` with a file payload (e.g., a PHP webshell) using a `.ph.p` extension to bypass initial filters [ref_id=1]. The attacker first retrieves an obfuscation token from `upload.php`, then uploads the file, triggers `upload_process.php` to finalize the upload, and finally uses `edit.php` to rename the file from `.ph.p` to `.php`, making it executable [ref_id=1]. The attacker then accesses the renamed PHP file under `/images/stories/` to execute arbitrary code [ref_id=1].
Affected code
The vulnerability resides in the TinyBrowser plugin's `upload.php`, `upload_file.php`, `upload_process.php`, and `edit.php` scripts, located under `/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/` in Joomla! [ref_id=1]. The plugin fails to restrict the types of files that can be uploaded and does not prevent subsequent renaming of uploaded files to executable extensions.
What the fix does
The advisory does not include a patch diff, but the vendor's security announcement (referenced in the exploit as http://developer.joomla.org/security/news/301-20090722-core-file-upload.html) indicates that the fix was released in TinyBrowser plugin version 1.5.13 for Joomla! [ref_id=1]. The remediation would involve adding proper file-type validation on upload, restricting the allowed extensions, and preventing the rename functionality from changing extensions to executable types.
Preconditions
- configThe Joomla! instance must have the TinyBrowser plugin (version <= 1.5.12) installed and enabled.
- networkThe attacker must have network access to the Joomla! web server.
- inputThe attacker must be able to send HTTP requests to the plugin's upload and edit endpoints.
Reproduction
1. Retrieve the obfuscation token by sending a GET request to `/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/upload.php?type=file&folder=` and extracting the value passed to `"obfus", "VALUE"` in the response [ref_id=1]. 2. Upload a PHP payload as a file with a `.ph.p` extension by sending a multipart POST to `upload_file.php?folder=/images/stories/&type=file&feid=&obfuscate=TOKEN&sessidpass=` with the `Filename` and `Filedata` fields set to the `.ph.p` filename [ref_id=1]. 3. Finalize the upload by sending a GET to `upload_process.php?folder=/images/stories/&type=file&feid=&filetotal=1` [ref_id=1]. 4. Rename the uploaded file from `.ph.p` to `.php` by POSTing to `edit.php?type=file&folder=` with parameters `actionfile[0]=FILENAME.ph.p`, `renameext[0]=p`, `renamefile[0]=FILENAME.ph`, and `action=rename` [ref_id=1]. 5. Access the renamed PHP file at `/images/stories/FILENAME.php` to execute the payload [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.exploit-db.com/exploits/9926mitreexploitx_refsource_EXPLOIT-DB
- vulmon.com/vulnerabilitydetailsmitrex_refsource_MISC
- www.openwall.com/lists/oss-security/2011/12/25/7mitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.