Full Disclosure mailing list archives
TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilities
From: "YGN Ethical Hacker Group (http://yehg.net)" <lists () yehg net>
Date: Wed, 29 Jul 2009 05:17:41 +0700
============================================================================== TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilities ============================================================================== Discovered by Aung Khant, YGN Ethical Hacker Group, Myanmar http://yehg.net/ ~ believe in full disclosure Advisory URL: http://yehg.net/lab/pr0js/advisories/tinybrowser_1416_multiple_vulnerabilities( http://yehg.net/lab/#advisories) Date published: 2009-07-27 Severity: High Vulnerability Class: Abuse of Functionality Affected Products: - TinyMCE editor with TinyBrowser plugin - Any web sites/web applications that use TinyMCE editor with TinyBrowser plugin Author: Bryn Jones (http://www.lunarvis.com) Author Contacted: Yes Reply: No reply Product Overview ================ TinyBrowser is a plugin of TinyMCE JavaScript editor that acts as file browser to view, upload, delete, rename files and folders on the web servers. TinyMCE is supposedly in wider use than its rival fckeditor due to faster loading and a little more cleaner interface. TinyMCE is mostly found in open-source web applications used as a textarea replacement html editor for allowing users to do text formatting with ease. Vulnerabilities ================== #1. Default Insecure Configurations Configuration settings shipped with tinybrowser are relatively insecure by default. They allow attackers to view, upload, delete, rename files and folders under its predefined upload directory. Casual web developers or users might just upload the TinyMCE browser without doing any configurations or they might do it later. Meanwhile, if an attacker luckily finds the tinybrowser directory, which is by default jscripts/tiny_mce/plugins/tinybrowser, he can do harm or abuse because of insecure default configurations. This was once a vulnerability of fckeditor (http://fckeditor.net) which has fixed its hole - if you run fckeditor's file upload page the first time, you'll see "This connector is disabled. Please check the ....". Tinybrowser should imitate like this. #2. Arbitrary Folder Creation Requesting the url [PATH]/tinybrowser.php?type=image&folder=hacked will create a folder named "hacked" in /useruploads/images/ directory if that folder does not exist. #3. Arbitrary File Hosting File: config_tinybrowser.php Code: // File upload size limit (0 is unlimited) $tinybrowser['maxsize']['image'] = 0; // Image file maximum size $tinybrowser['maxsize']['media'] = 0; // Media file maximum size $tinybrowser['maxsize']['file'] = 0; // Other file maximum size $tinybrowser['prohibited'] = array('php','php3','php4','php5','phtml','asp','aspx','ascx','jsp','cfm','cfc','pl','bat','exe','dll','reg','cgi', 'sh', 'py','asa','asax','config','com','inc'); // Prohibited file extensions The max allowable upload is not restricted. So it will depend only on web server's default setting or PHP timeout value. There are not many restricted file types. Here's a way to abuse: - Create a hidden directory by requesting [PATH]/upload.php?type=file&folder=.hostmyfiles - Then go to /upload.php?type=file&folder=.hostmyfiles - Host your sound, movie, pictures, zipped archives or even your sample HTML web sites for FREE! An evil trick to create seemingly interesting folder such as secret and host a browser-exploit html page that triggers drive-by-download trojan. When web master browses that folder and clicks the exploit file, then he gets owned. #4. Cross-site Scripting Most GET/POST variables are not sanitized. File: upload.php Code: $goodqty = (isset($_GET['goodfiles']) ? $_GET['goodfiles'] : 0); $badqty = (isset($_GET['badfiles']) ? $_GET['badfiles'] : 0); $dupqty = (isset($_GET['dupfiles']) ? $_GET['dupfiles'] : 0); Exploit: upload.php?badfiles=1"><script>alert(/XSS/)</script> #5. Cross-site Request Forgeries All major actions such as create, delete, rename files/folders are GET/POST XSRF-able. #########################################################################################
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilities YGN Ethical Hacker Group (http://yehg.net) (Jul 28)
- Re: TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilities laurent gaffie (Jul 28)
- Re: TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilities YGN Ethical Hacker Group (http://yehg.net) (Jul 28)
- Re: TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilities laurent gaffie (Jul 28)