|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  ExploitAlert Database |
||
ExploitAlert : 6758 Milw0rm ID : 9296 Credit : Aung Khant Date : 29.07.2009 Exploit Code : =========================================================================== === TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilitis =========================================================================== === Discovered by Aung Khant, YGN Ethical Hacker Group, Myanmar http://yehg.net/ ~ believe in full disclosure Advisory URL: http://yehg.net/lab/pr0js/advisories/tinybrowser_1416_multiple_vulnerabilit ies Date published: 2009-07-27 Severity: High Vulnerability Class: Abuse of Functionality Author: Bryn Jones (http://www.lunarvis.com) Author Contacted: Yes Reply: No reply Product Overview ================ TinyBrowser is a plugin of TinyMCE JavaScript editor that acts as file browser to view, upload, delete,rename files and folders on the web servers. Vulnerabilities ================== #1. Default Insecure Configurations Configuration settings shipped with tinybrowser are relatively insecure by default. They allow attackers to view, upload, delete,rename files and folders under its predefined upload directory. Casual web developers or users might just upload the tinymce browser without doing any configurations or they might do it later. Meanwhile,if an attacker luckily finds the tinybrowser directory, which is by default jscripts/tiny_mce/plugins/tinybrowser, he can do harm or abuse because of insecure default configurations. This was once a vulnerability of fckeditor(http://fckeditor.net) which has fixed its hole - if you run fckeditor's file upload page the first time, you'll see "This connector is disabled. Please check the ....". Tinybrowser should imitate like this. #2. Arbitrary Folder Creation Requesting the url [PATH]/tinybrowser.php?type=image&folder=hacked will create a folder named "hacked" in /useruploads/images/ directory if that folder does not exist. #3. Arbitrary File Hosting File: config_tinybrowser.php Code: // File upload size limit (0 is unlimited) $tinybrowser['maxsize']['image'] = 0; // Image file maximum size $tinybrowser['maxsize']['media'] = 0; // Media file maximum size $tinybrowser['maxsize']['file'] = 0; // Other file maximum size $tinybrowser['prohibited'] = array('php','php3','php4','php5','phtml','asp','aspx','ascx','jsp','cfm','c fc','pl','bat','exe','dll','reg','cgi', 'sh', 'py','asa','asax','config','com','inc'); // Prohibited file extensions The max allowable upload is not restricted. So it will depend only on web server's default setting or PHP timeout value. There are not many restricted file types. Here's a way to abuse: - Create a hidden directory by requesting [PATH]/upload.php?type=file&folder=.hostmyfiles - Then go to /upload.php?type=file&folder=.hostmyfiles - Host your sound,movie,pictures,zipped archives or even your sample HTML web sites for FREE! An evil trick to create seemingly interesting folder such as secret and host a browser-exploit html page that triggers drive-by-download trojan. When web master browses that folder and clicks the exploit file, then he gets owned. #4. Cross-site Scripting Most GET/POST variables are not sanitized. File: upload.php Code: $goodqty = (isset($_GET['goodfiles']) ? $_GET['goodfiles'] : 0); $badqty = (isset($_GET['badfiles']) ? $_GET['badfiles'] : 0); $dupqty = (isset($_GET['dupfiles']) ? $_GET['dupfiles'] : 0); Exploit: upload.php?badfiles=1"><script>alert(/XSS/)</script> #5. Cross-site Request Forgeries All major actions such as create,delete,rename files/folders are GET/POST XSRF-able. ########################################################################### A Word ========= Do not put the blame on the user who might always be lame and lazy to config for security. Make your software secure by default. Making things insecure by default is a human(developer/programmer) issue of all (past/current/coming) years round. Welcome to insecurities. We love'em. Feedback : If you have additional information or notice any errors regarding this exploit, please use contact form or email us at exploit()securityreason()com. |
||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |