Penetration Testing mailing list archives

Re: Pentestn ASP website with tinymce

From: Justin Klein Keane <justin () madirish net>
Date: Wed, 01 Sep 2010 08:27:23 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

  TinyMCE is a JavaScript based WYSIWYG editor, not a content management
system.  TinyMCE can be configured to run independently of any dynamic
code, and doesn't present any security vulnerability by itself.  TinyMCE
has had problems in the past with file manipulation that involved unsafe
dynamic scripting (such as PHP).

Justin Klein Keane, C|EH CEPT
http://www.MadIrish.net

On 08/31/2010 12:30 PM, Luana C. Rocha wrote:

 Hi,

The company whose i work for is in process evaluating a new website. 
They are not concerned about security, but with how easy is to update
the website content.
At this moment the developer that is winning this evaluating is
proposing to use tinymce as a content manager.
I read about tinymce and I'm really concerned about our security.
Does anyone uses the tinymce? Can anyone point me a good way to pentest
this site and how to enforce it's security  just in case they insist to
use tinymce?

PS: please forgive-me the bad english, i'm learning yet.

LCR

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAkx+RqsACgkQkSlsbLsN1gDfWgb+LI7Ml6O96Y9nAcZGpUsk9pSq
CrOC+zGRAyGJOHCygpNAstRmsjYtWXZt8apAGR+V9tROcHzsGB35u9blREsW6qtz
lQ4SE4yZ3o0bKt58v8VoMkVfknZMmQjoFCsTJS0QOt0QkeWpMgD2BUBzy2+l2MiF
U53Uta5YnTAq/Awj5M9du4V06dGdGcY8Ixq8EXVQwdKWM7w9Wj3Zq1aowz1liXX4
GinUWri7uYt84nUKK7ZT/vRhTUc6BJQ7RfrfIAsfWb13Y1f5USRo5dV6GFxCy2IE
i5Hw3QwD5eMTJMmT5Ls=
=vE1F
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

Re: Pentestn ASP website with tinymce Justin Klein Keane (Sep 01)
- <Possible follow-ups>
- Re: Pentestn ASP website with tinymce Robin Wood (Sep 01)
  - Re: Pentestn ASP website with tinymce Shawn Barry (Sep 03)
    - Re: Pentestn ASP website with tinymce Erin Carroll (Sep 03)