lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 14 Dec 2012 23:50:30 +0200
From: "MustLive" <>
To: <>, <>,
Subject: TinyBrowser Upload Shell Vulnerability

Hello guys!

I'll draw your attention to one exploit at (and other their
domains): I've wrote to about
it already at 19.11.2012. So it should concern every list, which posted that
exploit from

This is AFU vulnerability in TinyBrowser plugin for TinyMCE, which allows to
upload scripts to the site with using of double extensions attack.

At this exploit posted at 14.11.2012 and it concerns version
TinyBrowser 1.32. But long time ago I've already disclosed this

First, already at 09.09.2009 I've disclosed Arbitrary File Upload
vulnerability in TinyBrowser (,, which allows in TinyBrowser 1.33
to upload php-scripts directly.

Second, this is duplicate of a vulnerability in TinyBrowser, which I've
disclosed already at 14.07.2011 (,, In my advisory I've
disclosed three attacks on TinyBrowser - two for IIS and one for Apache (the
attack via double extensions, mentioned in this exploit) for TinyBrowser
v1.42. After my informing, the developer fixed them in version 1.43.

Best wishes & regards,
Administrator of Websecurity web site 

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists