[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <875432850907281517i3fe7d138q5349e6628297262e@mail.gmail.com>
Date: Wed, 29 Jul 2009 05:17:41 +0700
From: "YGN Ethical Hacker Group (http://yehg.net)" <lists@...g.net>
To: undisclosed-recipients:;
Subject: TinyBrowser (TinyMCE Editor File browser) 1.41.6
- Multiple Vulnerabilities
==============================================================================
TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilities
==============================================================================
Discovered by
Aung Khant, YGN Ethical Hacker Group, Myanmar
http://yehg.net/ ~ believe in full disclosure
Advisory URL:
http://yehg.net/lab/pr0js/advisories/tinybrowser_1416_multiple_vulnerabilities(
http://yehg.net/lab/#advisories)
Date published: 2009-07-27
Severity: High
Vulnerability Class: Abuse of Functionality
Affected Products:
- TinyMCE editor with TinyBrowser plugin
- Any web sites/web applications that use TinyMCE editor with TinyBrowser
plugin
Author: Bryn Jones (http://www.lunarvis.com)
Author Contacted: Yes
Reply: No reply
Product Overview
================
TinyBrowser is a plugin of TinyMCE JavaScript editor that acts as
file browser to view, upload, delete, rename files and folders on the
web servers. TinyMCE is supposedly in wider use than its rival fckeditor
due to faster loading and a little more cleaner interface. TinyMCE is
mostly found in open-source web applications used as a textarea replacement
html editor for allowing users to do text formatting with ease.
Vulnerabilities
==================
#1. Default Insecure Configurations
Configuration settings shipped with tinybrowser are relatively insecure by
default. They allow attackers to view, upload, delete, rename files and
folders
under its predefined upload directory.
Casual web developers or users might just upload the TinyMCE browser without
doing any configurations or they might do it later.
Meanwhile, if an attacker luckily finds the tinybrowser directory, which is
by default
jscripts/tiny_mce/plugins/tinybrowser, he can do harm or abuse because of
insecure default configurations.
This was once a vulnerability of fckeditor (http://fckeditor.net) which has
fixed
its hole - if you run fckeditor's file upload page the first time, you'll
see
"This connector is disabled. Please check the ....". Tinybrowser should
imitate
like this.
#2. Arbitrary Folder Creation
Requesting the url [PATH]/tinybrowser.php?type=image&folder=hacked will
create a folder named "hacked" in /useruploads/images/ directory if that
folder does not exist.
#3. Arbitrary File Hosting
File: config_tinybrowser.php
Code:
// File upload size limit (0 is unlimited)
$tinybrowser['maxsize']['image'] = 0; // Image file maximum size
$tinybrowser['maxsize']['media'] = 0; // Media file maximum size
$tinybrowser['maxsize']['file'] = 0; // Other file maximum size
$tinybrowser['prohibited'] =
array('php','php3','php4','php5','phtml','asp','aspx','ascx','jsp','cfm','cfc','pl','bat','exe','dll','reg','cgi',
'sh', 'py','asa','asax','config','com','inc');
// Prohibited file extensions
The max allowable upload is not restricted. So it will depend only on web
server's default setting or
PHP timeout value. There are not many restricted file types. Here's a way to
abuse:
- Create a hidden directory by requesting
[PATH]/upload.php?type=file&folder=.hostmyfiles
- Then go to /upload.php?type=file&folder=.hostmyfiles
- Host your sound, movie, pictures, zipped archives or even your sample HTML
web sites for FREE!
An evil trick to create seemingly interesting folder such as secret and host
a
browser-exploit html page that triggers drive-by-download trojan.
When web master browses that folder and clicks the exploit file, then he
gets owned.
#4. Cross-site Scripting
Most GET/POST variables are not sanitized.
File: upload.php
Code:
$goodqty = (isset($_GET['goodfiles']) ? $_GET['goodfiles'] : 0);
$badqty = (isset($_GET['badfiles']) ? $_GET['badfiles'] : 0);
$dupqty = (isset($_GET['dupfiles']) ? $_GET['dupfiles'] : 0);
Exploit: upload.php?badfiles=1"><script>alert(/XSS/)</script>
#5. Cross-site Request Forgeries
All major actions such as create, delete, rename files/folders are GET/POST
XSRF-able.
#########################################################################################
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists