Re: TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilities

[laurent gaffie <laurent.gaffie () gmail com>]

***this also affect any joomla! >1.5.*  ***


2009/7/28 YGN Ethical Hacker Group (http://yehg.net) <lists () yehg net>

> ==============================================================================
>  TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple
> Vulnerabilities
>
> ==============================================================================
>
> Discovered by
> Aung Khant, YGN Ethical Hacker Group, Myanmar
> http://yehg.net/ ~ believe in full disclosure
>
> Advisory URL:
>
> http://yehg.net/lab/pr0js/advisories/tinybrowser_1416_multiple_vulnerabilities(
> http://yehg.net/lab/#advisories)
> Date published: 2009-07-27
> Severity: High
> Vulnerability Class: Abuse of Functionality
> Affected Products:
> - TinyMCE editor with TinyBrowser plugin
> - Any web sites/web applications that use TinyMCE editor with TinyBrowser
> plugin
>
>
> Author: Bryn Jones (http://www.lunarvis.com)
> Author Contacted: Yes
> Reply: No reply
>
>
> Product Overview
> ================
>
> TinyBrowser is a plugin of TinyMCE JavaScript editor that acts as
> file browser to view, upload, delete, rename files and folders on the
> web servers. TinyMCE is supposedly in wider use than its rival fckeditor
> due to faster loading and a little more cleaner interface. TinyMCE is
> mostly found in open-source web applications used as a textarea replacement
> html editor for allowing users to do text formatting with ease.
>
> Vulnerabilities
> ==================
>
> #1. Default Insecure Configurations
>
> Configuration settings shipped with tinybrowser are relatively insecure by
> default. They allow attackers to view, upload, delete, rename files and
> folders
> under its predefined upload directory.
>
> Casual web developers or users might just upload the TinyMCE browser
> without
> doing any configurations or they might do it later.
> Meanwhile, if an attacker luckily finds the tinybrowser directory, which is
> by default
> jscripts/tiny_mce/plugins/tinybrowser, he can do harm or abuse because of
> insecure default configurations.
>
> This was once a vulnerability of fckeditor (http://fckeditor.net) which
> has fixed
> its hole - if you run fckeditor's file upload page the first time, you'll
> see
> "This connector is disabled. Please check the ....". Tinybrowser should
> imitate
> like this.
>
>
> #2. Arbitrary Folder Creation
>
> Requesting the url [PATH]/tinybrowser.php?type=image&folder=hacked will
> create a folder named "hacked" in /useruploads/images/ directory if that
> folder does not exist.
>
>
> #3. Arbitrary File Hosting
>
> File: config_tinybrowser.php
> Code:
> // File upload size limit (0 is unlimited)
> $tinybrowser['maxsize']['image'] = 0; // Image file maximum size
> $tinybrowser['maxsize']['media'] = 0; // Media file maximum size
> $tinybrowser['maxsize']['file']  = 0; // Other file maximum size
> $tinybrowser['prohibited'] =
> array('php','php3','php4','php5','phtml','asp','aspx','ascx','jsp','cfm','cfc','pl','bat','exe','dll','reg','cgi',
> 'sh', 'py','asa','asax','config','com','inc');
> // Prohibited file extensions
>
> The max allowable upload is not restricted. So it will depend only on web
> server's default setting or
> PHP timeout value. There are not many restricted file types. Here's a way
> to abuse:
> - Create a hidden directory by requesting
> [PATH]/upload.php?type=file&folder=.hostmyfiles
> - Then go to /upload.php?type=file&folder=.hostmyfiles
> - Host your sound, movie, pictures, zipped archives or even your sample
> HTML web sites for FREE!
>
> An evil trick to create seemingly interesting folder such as secret and
> host a
> browser-exploit html page that triggers drive-by-download trojan.
> When web master browses that folder and clicks the exploit file, then he
> gets owned.
>
> #4. Cross-site Scripting
>
> Most GET/POST variables are not sanitized.
>
> File: upload.php
> Code:
> $goodqty = (isset($_GET['goodfiles']) ? $_GET['goodfiles'] : 0);
> $badqty = (isset($_GET['badfiles']) ? $_GET['badfiles'] : 0);
> $dupqty = (isset($_GET['dupfiles']) ? $_GET['dupfiles'] : 0);
>
> Exploit: upload.php?badfiles=1"><script>alert(/XSS/)</script>
>
> #5. Cross-site Request Forgeries
>
> All major actions such as create, delete, rename files/folders are GET/POST
> XSRF-able.
>
>
> #########################################################################################
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/