***this also affect any joomla! >1.5.* ***
2009/7/28 YGN Ethical Hacker Group (http://yehg.net) <[email protected]> > > ============================================================================== > TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple > Vulnerabilities > > ============================================================================== > > Discovered by > Aung Khant, YGN Ethical Hacker Group, Myanmar > http://yehg.net/ ~ believe in full disclosure > > Advisory URL: > > http://yehg.net/lab/pr0js/advisories/tinybrowser_1416_multiple_vulnerabilities( > http://yehg.net/lab/#advisories) > Date published: 2009-07-27 > Severity: High > Vulnerability Class: Abuse of Functionality > Affected Products: > - TinyMCE editor with TinyBrowser plugin > - Any web sites/web applications that use TinyMCE editor with TinyBrowser > plugin > > > Author: Bryn Jones (http://www.lunarvis.com) > Author Contacted: Yes > Reply: No reply > > > Product Overview > ================ > > TinyBrowser is a plugin of TinyMCE JavaScript editor that acts as > file browser to view, upload, delete, rename files and folders on the > web servers. TinyMCE is supposedly in wider use than its rival fckeditor > due to faster loading and a little more cleaner interface. TinyMCE is > mostly found in open-source web applications used as a textarea replacement > html editor for allowing users to do text formatting with ease. > > Vulnerabilities > ================== > > #1. Default Insecure Configurations > > Configuration settings shipped with tinybrowser are relatively insecure by > default. They allow attackers to view, upload, delete, rename files and > folders > under its predefined upload directory. > > Casual web developers or users might just upload the TinyMCE browser > without > doing any configurations or they might do it later. > Meanwhile, if an attacker luckily finds the tinybrowser directory, which is > by default > jscripts/tiny_mce/plugins/tinybrowser, he can do harm or abuse because of > insecure default configurations. > > This was once a vulnerability of fckeditor (http://fckeditor.net) which > has fixed > its hole - if you run fckeditor's file upload page the first time, you'll > see > "This connector is disabled. Please check the ....". Tinybrowser should > imitate > like this. > > > #2. Arbitrary Folder Creation > > Requesting the url [PATH]/tinybrowser.php?type=image&folder=hacked will > create a folder named "hacked" in /useruploads/images/ directory if that > folder does not exist. > > > #3. Arbitrary File Hosting > > File: config_tinybrowser.php > Code: > // File upload size limit (0 is unlimited) > $tinybrowser['maxsize']['image'] = 0; // Image file maximum size > $tinybrowser['maxsize']['media'] = 0; // Media file maximum size > $tinybrowser['maxsize']['file'] = 0; // Other file maximum size > $tinybrowser['prohibited'] = > array('php','php3','php4','php5','phtml','asp','aspx','ascx','jsp','cfm','cfc','pl','bat','exe','dll','reg','cgi', > 'sh', 'py','asa','asax','config','com','inc'); > // Prohibited file extensions > > The max allowable upload is not restricted. So it will depend only on web > server's default setting or > PHP timeout value. There are not many restricted file types. Here's a way > to abuse: > - Create a hidden directory by requesting > [PATH]/upload.php?type=file&folder=.hostmyfiles > - Then go to /upload.php?type=file&folder=.hostmyfiles > - Host your sound, movie, pictures, zipped archives or even your sample > HTML web sites for FREE! > > An evil trick to create seemingly interesting folder such as secret and > host a > browser-exploit html page that triggers drive-by-download trojan. > When web master browses that folder and clicks the exploit file, then he > gets owned. > > #4. Cross-site Scripting > > Most GET/POST variables are not sanitized. > > File: upload.php > Code: > $goodqty = (isset($_GET['goodfiles']) ? $_GET['goodfiles'] : 0); > $badqty = (isset($_GET['badfiles']) ? $_GET['badfiles'] : 0); > $dupqty = (isset($_GET['dupfiles']) ? $_GET['dupfiles'] : 0); > > Exploit: upload.php?badfiles=1"><script>alert(/XSS/)</script> > > #5. Cross-site Request Forgeries > > All major actions such as create, delete, rename files/folders are GET/POST > XSRF-able. > > > ######################################################################################### > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
