[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <875432850907281537w76e1c7ebw89c03a31b6fc8741@mail.gmail.com>
Date: Wed, 29 Jul 2009 05:37:02 +0700
From: "YGN Ethical Hacker Group (http://yehg.net)" <lists@...g.net>
To: laurent gaffie <laurent.gaffie@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: TinyBrowser (TinyMCE Editor File browser)
1.41.6 - Multiple Vulnerabilities
As far as I see, Only Joomla 1.5.12.
There is no tinybrowser plugin in < 1.5.12, which makes 1.5.12 unlucky.
They mentioned only just simple image upload.
http://developer.joomla.org/security/news/301-20090722-core-file-upload.html
When I tested it, I found more, which should be disclosed.
Or else users will say 'just forget about it. image upload makes no
problem.'
On Wed, Jul 29, 2009 at 5:30 AM, laurent gaffie <laurent.gaffie@...il.com>wrote:
> ***this also affect any joomla! >1.5.* ***
>
>
> 2009/7/28 YGN Ethical Hacker Group (http://yehg.net) <lists@...g.net>
>
>>
>> ==============================================================================
>> TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple
>> Vulnerabilities
>>
>> ==============================================================================
>>
>> Discovered by
>> Aung Khant, YGN Ethical Hacker Group, Myanmar
>> http://yehg.net/ ~ believe in full disclosure
>>
>> Advisory URL:
>>
>> http://yehg.net/lab/pr0js/advisories/tinybrowser_1416_multiple_vulnerabilities(
>> http://yehg.net/lab/#advisories)
>> Date published: 2009-07-27
>> Severity: High
>> Vulnerability Class: Abuse of Functionality
>> Affected Products:
>> - TinyMCE editor with TinyBrowser plugin
>> - Any web sites/web applications that use TinyMCE editor with TinyBrowser
>> plugin
>>
>>
>> Author: Bryn Jones (http://www.lunarvis.com)
>> Author Contacted: Yes
>> Reply: No reply
>>
>>
>> Product Overview
>> ================
>>
>> TinyBrowser is a plugin of TinyMCE JavaScript editor that acts as
>> file browser to view, upload, delete, rename files and folders on the
>> web servers. TinyMCE is supposedly in wider use than its rival fckeditor
>> due to faster loading and a little more cleaner interface. TinyMCE is
>> mostly found in open-source web applications used as a textarea
>> replacement
>> html editor for allowing users to do text formatting with ease.
>>
>> Vulnerabilities
>> ==================
>>
>> #1. Default Insecure Configurations
>>
>> Configuration settings shipped with tinybrowser are relatively insecure by
>>
>> default. They allow attackers to view, upload, delete, rename files and
>> folders
>> under its predefined upload directory.
>>
>> Casual web developers or users might just upload the TinyMCE browser
>> without
>> doing any configurations or they might do it later.
>> Meanwhile, if an attacker luckily finds the tinybrowser directory, which
>> is by default
>> jscripts/tiny_mce/plugins/tinybrowser, he can do harm or abuse because of
>> insecure default configurations.
>>
>> This was once a vulnerability of fckeditor (http://fckeditor.net) which
>> has fixed
>> its hole - if you run fckeditor's file upload page the first time, you'll
>> see
>> "This connector is disabled. Please check the ....". Tinybrowser should
>> imitate
>> like this.
>>
>>
>> #2. Arbitrary Folder Creation
>>
>> Requesting the url [PATH]/tinybrowser.php?type=image&folder=hacked will
>> create a folder named "hacked" in /useruploads/images/ directory if that
>> folder does not exist.
>>
>>
>> #3. Arbitrary File Hosting
>>
>> File: config_tinybrowser.php
>> Code:
>> // File upload size limit (0 is unlimited)
>> $tinybrowser['maxsize']['image'] = 0; // Image file maximum size
>> $tinybrowser['maxsize']['media'] = 0; // Media file maximum size
>> $tinybrowser['maxsize']['file'] = 0; // Other file maximum size
>> $tinybrowser['prohibited'] =
>> array('php','php3','php4','php5','phtml','asp','aspx','ascx','jsp','cfm','cfc','pl','bat','exe','dll','reg','cgi',
>> 'sh', 'py','asa','asax','config','com','inc');
>> // Prohibited file extensions
>>
>> The max allowable upload is not restricted. So it will depend only on web
>> server's default setting or
>> PHP timeout value. There are not many restricted file types. Here's a way
>> to abuse:
>> - Create a hidden directory by requesting
>> [PATH]/upload.php?type=file&folder=.hostmyfiles
>> - Then go to /upload.php?type=file&folder=.hostmyfiles
>> - Host your sound, movie, pictures, zipped archives or even your sample
>> HTML web sites for FREE!
>>
>> An evil trick to create seemingly interesting folder such as secret and
>> host a
>> browser-exploit html page that triggers drive-by-download trojan.
>> When web master browses that folder and clicks the exploit file, then he
>> gets owned.
>>
>> #4. Cross-site Scripting
>>
>> Most GET/POST variables are not sanitized.
>>
>> File: upload.php
>> Code:
>> $goodqty = (isset($_GET['goodfiles']) ? $_GET['goodfiles'] : 0);
>> $badqty = (isset($_GET['badfiles']) ? $_GET['badfiles'] : 0);
>> $dupqty = (isset($_GET['dupfiles']) ? $_GET['dupfiles'] : 0);
>>
>> Exploit: upload.php?badfiles=1"><script>alert(/XSS/)</script>
>>
>> #5. Cross-site Request Forgeries
>>
>> All major actions such as create, delete, rename files/folders are
>> GET/POST XSRF-able.
>>
>>
>> #########################################################################################
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists