lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <875432850907281517i3fe7d138q5349e6628297262e@mail.gmail.com>
Date: Wed, 29 Jul 2009 05:17:41 +0700
From: "YGN Ethical Hacker Group (http://yehg.net)" <lists@...g.net>
To: undisclosed-recipients:;
Subject: TinyBrowser (TinyMCE Editor File browser) 1.41.6
	- Multiple Vulnerabilities

==============================================================================
 TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilities
==============================================================================

Discovered by
Aung Khant, YGN Ethical Hacker Group, Myanmar
http://yehg.net/ ~ believe in full disclosure

Advisory URL:
http://yehg.net/lab/pr0js/advisories/tinybrowser_1416_multiple_vulnerabilities(
http://yehg.net/lab/#advisories)
Date published: 2009-07-27
Severity: High
Vulnerability Class: Abuse of Functionality
Affected Products:
- TinyMCE editor with TinyBrowser plugin
- Any web sites/web applications that use TinyMCE editor with TinyBrowser
plugin


Author: Bryn Jones (http://www.lunarvis.com)
Author Contacted: Yes
Reply: No reply


Product Overview
================

TinyBrowser is a plugin of TinyMCE JavaScript editor that acts as
file browser to view, upload, delete, rename files and folders on the
web servers. TinyMCE is supposedly in wider use than its rival fckeditor
due to faster loading and a little more cleaner interface. TinyMCE is
mostly found in open-source web applications used as a textarea replacement
html editor for allowing users to do text formatting with ease.

Vulnerabilities
==================

#1. Default Insecure Configurations

Configuration settings shipped with tinybrowser are relatively insecure by
default. They allow attackers to view, upload, delete, rename files and
folders
under its predefined upload directory.

Casual web developers or users might just upload the TinyMCE browser without
doing any configurations or they might do it later.
Meanwhile, if an attacker luckily finds the tinybrowser directory, which is
by default
jscripts/tiny_mce/plugins/tinybrowser, he can do harm or abuse because of
insecure default configurations.

This was once a vulnerability of fckeditor (http://fckeditor.net) which has
fixed
its hole - if you run fckeditor's file upload page the first time, you'll
see
"This connector is disabled. Please check the ....". Tinybrowser should
imitate
like this.


#2. Arbitrary Folder Creation

Requesting the url [PATH]/tinybrowser.php?type=image&folder=hacked will
create a folder named "hacked" in /useruploads/images/ directory if that
folder does not exist.


#3. Arbitrary File Hosting

File: config_tinybrowser.php
Code:
// File upload size limit (0 is unlimited)
$tinybrowser['maxsize']['image'] = 0; // Image file maximum size
$tinybrowser['maxsize']['media'] = 0; // Media file maximum size
$tinybrowser['maxsize']['file']  = 0; // Other file maximum size
$tinybrowser['prohibited'] =
array('php','php3','php4','php5','phtml','asp','aspx','ascx','jsp','cfm','cfc','pl','bat','exe','dll','reg','cgi',
'sh', 'py','asa','asax','config','com','inc');
// Prohibited file extensions

The max allowable upload is not restricted. So it will depend only on web
server's default setting or
PHP timeout value. There are not many restricted file types. Here's a way to
abuse:
- Create a hidden directory by requesting
[PATH]/upload.php?type=file&folder=.hostmyfiles
- Then go to /upload.php?type=file&folder=.hostmyfiles
- Host your sound, movie, pictures, zipped archives or even your sample HTML
web sites for FREE!

An evil trick to create seemingly interesting folder such as secret and host
a
browser-exploit html page that triggers drive-by-download trojan.
When web master browses that folder and clicks the exploit file, then he
gets owned.

#4. Cross-site Scripting

Most GET/POST variables are not sanitized.

File: upload.php
Code:
$goodqty = (isset($_GET['goodfiles']) ? $_GET['goodfiles'] : 0);
$badqty = (isset($_GET['badfiles']) ? $_GET['badfiles'] : 0);
$dupqty = (isset($_GET['dupfiles']) ? $_GET['dupfiles'] : 0);

Exploit: upload.php?badfiles=1"><script>alert(/XSS/)</script>

#5. Cross-site Request Forgeries

All major actions such as create, delete, rename files/folders are GET/POST
XSRF-able.

#########################################################################################

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ