Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <AANLkTinnHDO2DZ4T332DRsCyYVE7JukizE_BGTvTELyL@mail.gmail.com>
Date: Fri, 18 Mar 2011 14:32:55 +0800
From: YGN Ethical Hacker Group <lists@...g.net>
To: oss-security@...ts.openwall.com
Subject: CVE Request: TinyBrowser (TinyMCE Editor File browser) 1.41.6 -
 Multiple Vulnerabilities

Advisory URL:
http://yehg.net/lab/pr0js/advisories/tinybrowser_1416_multiple_vulnerabilities
Date published: 2009-07-27
Severity: High
Vulnerability Class: Abuse of Functionality
Affected Products:
- TinyMCE editor with TinyBrowser plugin
- Any web sites/web applications that use TinyMCE editor with TinyBrowser plugin
- Known Vulnerable CMSes
	- Joomla Joomla 1.5.12
	- CompactCMS CompactCMS 1.4
	- B-hind CMS B-hind CMS 0

Author: Bryn Jones (http://www.lunarvis.com)


Product Overview
================

TinyBrowser is a plugin of TinyMCE JavaScript editor that acts as
file browser to view, upload, delete, rename files and folders on the
web servers.


Vulnerabilities
==================

#1. Default Insecure Configurations

Configuration settings shipped with tinybrowser are relatively insecure by
default. They allow attackers to view, upload, delete, rename files and folders
under its predefined upload directory.

Casual web developers or users might just upload the TinyMCE browser without
doing any configurations or they might do it later.
Meanwhile, if an attacker luckily finds the tinybrowser directory,
which is by default
jscripts/tiny_mce/plugins/tinybrowser, he can do harm or abuse because of
insecure default configurations.

This was once a vulnerability of fckeditor (http://fckeditor.net)
which has fixed
its hole - if you run fckeditor's file upload page the first time, you'll see
"This connector is disabled. Please check the ....". Tinybrowser should imitate
like this.


#2. Arbitrary Folder Creation

Requesting the url [PATH]/tinybrowser.php?type=image&folder=hacked will
create a folder named "hacked" in /useruploads/images/ directory if that
folder does not exist.


#3. Arbitrary File Hosting

File: config_tinybrowser.php
Code:
// File upload size limit (0 is unlimited)
$tinybrowser['maxsize']['image'] = 0; // Image file maximum size
$tinybrowser['maxsize']['media'] = 0; // Media file maximum size
$tinybrowser['maxsize']['file']  = 0; // Other file maximum size
$tinybrowser['prohibited'] =
array('php','php3','php4','php5','phtml','asp','aspx','ascx','jsp','cfm','cfc','pl','bat','exe','dll','reg','cgi',
'sh', 'py','asa','asax','config','com','inc');
// Prohibited file extensions

The max allowable upload is not restricted. So it will depend only on
web server's default setting or
PHP timeout value. There are not many restricted file types. Here's a
way to abuse:
- Create a hidden directory by requesting
[PATH]/upload.php?type=file&folder=.hostmyfiles
- Then go to /upload.php?type=file&folder=.hostmyfiles
- Host your sound, movie, pictures, zipped archives or even your
sample HTML web sites for FREE!

An evil trick to create seemingly interesting folder such as secret and host a
browser-exploit html page that triggers drive-by-download trojan.
When web master browses that folder and clicks the exploit file, then
he gets owned.

#4. Cross-site Scripting

Most GET/POST variables are not sanitized.

File: upload.php
Code:
$goodqty = (isset($_GET['goodfiles']) ? $_GET['goodfiles'] : 0);
$badqty = (isset($_GET['badfiles']) ? $_GET['badfiles'] : 0);
$dupqty = (isset($_GET['dupfiles']) ? $_GET['dupfiles'] : 0);

Exploit: upload.php?badfiles=1"><script>alert(/XSS/)</script>

#5. Cross-site Request Forgeries

All major actions such as create, delete, rename files/folders are
GET/POST XSRF-able.

#########################################################################################


---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.