__________.__                 __               ___ ___
\______   \  | _____    ____ |  | __          /   |   \  ____
 |    |  _/  | \__  \ _/ ___\|  |/ /  ______ /    ~    \/ ___\
 |    |   \  |__/ __ \\  \___|    <  /_____/ \    Y    / /_/  >
 |______  /____(____  /\___  >__|_ \          \___|_  /\___  /
        \/          \/     \/     \/                \//_____/
                                                               .ORG
[+] Info=================================================================
# Title: Drupal Htmlarea Modules (4.7.x-1.x) / Arbitary File Upload Vulnerabilities
# Author: Net.Edit0r
# Contact: Net.Edit0r[at]Att[dot]Net
# Vendor: https://drupal.org/project/htmlarea
# Software Link: http://ftp.drupal.org/files/projects/htmlarea-4.7.x-1.x-dev.zip
# Version: 4.7.x-1.x (The new version of the module is vulnerable fix)
# Tested on: Linux
 
- About the Software:
 
Allows Drupal to use the HTMLArea WYSIWYG formatter to replace text area fields.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 1)  File Upload Vulnerabilities in "/insert_image.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  
     - Vulnerable Code Snippet :
      
	every use of drupal_get_path() or url() in insert_image.php creates incorrect paths.

	the use of drupal_get_path() in htmlarea.module:

	case 'uploadimage':

	$popup = drupal_get_path('module', 'htmlarea') .'/plugins/UploadImage/popups/insert_image.php';

	$output[] = " editor.registerPlugin('$plugin', '$popup');";

	break;

     - Proof of concept for Exploitation:
      
         http://Localhost/plugins/UploadImage/popups/insert_image.php
         
           Image URL: /image/view/
         
        
  - Credits:
 
  #BHG BlackHat Group - Information Security Consultant 
  
  WebSite : WWW.Black-hg.oRG
 
# Tnx To : Ahmadbady ~ 3H34N ~ G3n3Rall ~ l4tr0d3ctism ~ NoL1m1t ~ MojtabaFbi ~ E2MA3N ~ offender 
# Iranian HackerZ [Persian Gulf]