Code Execution vulnerabilities in TinyBrowser

["MustLive" <mustlive () websecurity com ua>]

Hello list!

I want to warn you about Code Execution vulnerabilities in TinyBrowser -
file manager for TinyMCE.

-------------------------
Affected products:
-------------------------

Vulnerable are TinyBrowser v1.42 and previous versions (and all web
applications which are using it, such as TinyMCE). Developer fixed these
holes in the next version 1.43 already in February, after my informing, but
this version still was not released. So contact developer for new version.

----------
Details:
----------

Code Execution (WASC-31):

Execution of arbitrary code is possible due to bypass of program's security
filters (on web servers IIS and Apache).

Code will execute via file uploading. Program is vulnerable to three methods
of code execution:

1. Via using of symbol ";" (1.asp;.txt) in file name (IIS).

2. Via "1.asp" in folder name (IIS).

3. Via double extension (1.php.txt) (Apache with special configuration).

------------
Timeline:
------------

2011.02.11 - announced at my site.
2011.02.14 - informed developer.
2011.02.17 - developer answered, that he has just fixed them in the next
version 1.43.
2011.07.14 - disclosed at my site.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/4922/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/