TinyMCE ajax_create_folder remote code execution vulnerability
Description
TinyMCE, a widely-used JavaScript WYSIWYG HTML editor, contains a critical remote code execution vulnerability in its AJAX file manager plugin. The vulnerable file 'ajax_create_folder.php' uses an insecure writeInfo() function that writes unsanitized POST request data directly into 'data.php' without validation. This allows unauthenticated attackers to inject and execute arbitrary PHP code on the server by crafting malicious POST requests.
Remediation
Take immediate action to remediate this vulnerability using one of the following approaches:
1. Upgrade TinyMCE: Update to the latest version of TinyMCE that addresses this vulnerability. Verify the changelog confirms the fix for the ajax_create_folder.php issue.
2. Remove vulnerable files: If the AJAX file manager functionality is not required, delete the entire '/plugins/ajaxfilemanager/' directory from your TinyMCE installation.
3. Restrict access: If you must retain the plugin temporarily, implement web server access controls to block external access to the vulnerable file:
# Apache .htaccess example Require all denied
After remediation, scan your server for indicators of compromise, review web server logs for suspicious POST requests to ajax_create_folder.php, and check for unexpected .php files that may have been created by attackers.