|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If you have found a vulnerability, please send to our SecurityAlert Database : secalert()securityreason()com
Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com |
|
|
Home ExploitAlert Database |
|
|
Topic : | TinyBrowser (TinyMCE Editor File browser) 1.41.6 Multiple Vulnerabilities
|
ExploitAlert : 6758
Milw0rm ID : 9296
Credit : Aung Khant
Date : 29.07.2009
Download
Plain text version
 Exploit Code : ===========================================================================
===
TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple
Vulnerabilitis
===========================================================================
===
Discovered by
Aung Khant, YGN Ethical Hacker Group, Myanmar
http://yehg.net/ ~ believe in full disclosure
Advisory URL:
http://yehg.net/lab/pr0js/advisories/tinybrowser_1416_multiple_vulnerabilit
ies
Date published: 2009-07-27
Severity: High
Vulnerability Class: Abuse of Functionality
Author: Bryn Jones (http://www.lunarvis.com)
Author Contacted: Yes
Reply: No reply
Product Overview
================
TinyBrowser is a plugin of TinyMCE JavaScript editor that acts as
file browser to view, upload, delete,rename files and folders on the
web servers.
Vulnerabilities
==================
#1. Default Insecure Configurations
Configuration settings shipped with tinybrowser are relatively insecure by
default. They allow attackers to view, upload, delete,rename files and
folders
under its predefined upload directory.
Casual web developers or users might just upload the tinymce browser
without
doing any configurations or they might do it later.
Meanwhile,if an attacker luckily finds the tinybrowser directory, which is
by default
jscripts/tiny_mce/plugins/tinybrowser, he can do harm or abuse because of
insecure default configurations.
This was once a vulnerability of fckeditor(http://fckeditor.net) which has
fixed
its hole - if you run fckeditor's file upload page the first time, you'll
see
"This connector is disabled. Please check the ....". Tinybrowser should
imitate
like this.
#2. Arbitrary Folder Creation
Requesting the url [PATH]/tinybrowser.php?type=image&folder=hacked will
create a folder named "hacked" in /useruploads/images/ directory if that
folder does not exist.
#3. Arbitrary File Hosting
File: config_tinybrowser.php
Code:
// File upload size limit (0 is unlimited)
$tinybrowser['maxsize']['image'] = 0; // Image file maximum size
$tinybrowser['maxsize']['media'] = 0; // Media file maximum size
$tinybrowser['maxsize']['file'] = 0; // Other file maximum size
$tinybrowser['prohibited'] =
array('php','php3','php4','php5','phtml','asp','aspx','ascx','jsp','cfm','c
fc','pl','bat','exe','dll','reg','cgi', 'sh',
'py','asa','asax','config','com','inc');
// Prohibited file extensions
The max allowable upload is not restricted. So it will depend only on web
server's default setting or
PHP timeout value. There are not many restricted file types. Here's a way
to abuse:
- Create a hidden directory by requesting
[PATH]/upload.php?type=file&folder=.hostmyfiles
- Then go to /upload.php?type=file&folder=.hostmyfiles
- Host your sound,movie,pictures,zipped archives or even your sample HTML
web sites for FREE!
An evil trick to create seemingly interesting folder such as secret and
host a
browser-exploit html page that triggers drive-by-download trojan.
When web master browses that folder and clicks the exploit file, then he
gets owned.
#4. Cross-site Scripting
Most GET/POST variables are not sanitized.
File: upload.php
Code:
$goodqty = (isset($_GET['goodfiles']) ? $_GET['goodfiles'] : 0);
$badqty = (isset($_GET['badfiles']) ? $_GET['badfiles'] : 0);
$dupqty = (isset($_GET['dupfiles']) ? $_GET['dupfiles'] : 0);
Exploit: upload.php?badfiles=1"><script>alert(/XSS/)</script>
#5. Cross-site Request Forgeries
All major actions such as create,delete,rename files/folders are GET/POST
XSRF-able.
###########################################################################
A Word
=========
Do not put the blame on the user who might always be lame and lazy to
config for security.
Make your software secure by default.
Making things insecure by default is a human(developer/programmer) issue of
all (past/current/coming) years round.
Welcome to insecurities. We love'em.
Feedback :
If you have additional information or notice any errors regarding this exploit, please use contact form or email us at exploit()securityreason()com.
|
|
|
|