TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilities
2010-01-11 15:00
531 查看
============================================================================== TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilities ============================================================================== Discovered by Aung Khant, YGN Ethical Hacker Group, Myanmar http://yehg.net/ ~ believe in full disclosure Advisory URL: http://yehg.net/lab/pr0js/advisories/tinybrowser_1416_multiple_vulnerabilities Date published: 2009-07-27 Severity: High Vulnerability Class: Abuse of Functionality Affected Products: - TinyMCE editor with TinyBrowser plugin - Any web sites/web applications that use TinyMCE editor with TinyBrowser plugin Author: Bryn Jones (http://www.lunarvis.com) Author Contacted: Yes Reply: No reply Product Overview ================ TinyBrowser is a plugin of TinyMCE JavaScript editor that acts as file browser to view, upload, delete, rename files and folders on the web servers. Vulnerabilities ================== #1. Default Insecure Configurations Configuration settings shipped with tinybrowser are relatively insecure by default. They allow attackers to view, upload, delete, rename files and folders under its predefined upload directory. Casual web developers or users might just upload the TinyMCE browser without doing any configurations or they might do it later. Meanwhile, if an attacker luckily finds the tinybrowser directory, which is by default jscripts/tiny_mce/plugins/tinybrowser, he can do harm or abuse because of insecure default configurations. This was once a vulnerability of fckeditor (http://fckeditor.net) which has fixed its hole - if you run fckeditor's file upload page the first time, you'll see "This connector is disabled. Please check the ....". Tinybrowser should imitate like this. #2. Arbitrary Folder Creation Requesting the url [PATH]/tinybrowser.php?type=image&folder=hacked will create a folder named "hacked" in /useruploads/images/ directory if that folder does not exist. #3. Arbitrary File Hosting File: config_tinybrowser.php Code: // File upload size limit (0 is unlimited) $tinybrowser['maxsize']['image'] = 0; // Image file maximum size $tinybrowser['maxsize']['media'] = 0; // Media file maximum size $tinybrowser['maxsize']['file'] = 0; // Other file maximum size $tinybrowser['prohibited'] = array('php','php3','php4','php5','phtml','asp','aspx','ascx','jsp','cfm','cfc','pl','bat','exe','dll','reg','cgi', 'sh', 'py','asa','asax','config','com','inc'); // Prohibited file extensions The max allowable upload is not restricted. So it will depend only on web server's default setting or PHP timeout value. There are not many restricted file types. Here's a way to abuse: - Create a hidden directory by requesting [PATH]/upload.php?type=file&folder=.hostmyfiles - Then go to /upload.php?type=file&folder=.hostmyfiles - Host your sound, movie, pictures, zipped archives or even your sample HTML web sites for FREE! An evil trick to create seemingly interesting folder such as secret and host a browser-exploit html page that triggers drive-by-download trojan. When web master browses that folder and clicks the exploit file, then he gets owned. #4. Cross-site Scripting Most GET/POST variables are not sanitized. File: upload.php Code: $goodqty = (isset($_GET['goodfiles']) ? $_GET['goodfiles'] : 0); $badqty = (isset($_GET['badfiles']) ? $_GET['badfiles'] : 0); $dupqty = (isset($_GET['dupfiles']) ? $_GET['dupfiles'] : 0); Exploit: upload.php?badfiles=1"><script>alert(/XSS/)</script> #5. Cross-site Request Forgeries All major actions such as create, delete, rename files/folders are GET/POST XSRF-able. ######################################################################################### # milw0rm.com [2009-07-28]
相关文章推荐
- BouncingOrange TinyMCE (WYSIWYG)的功能增强插件 - BouncingOrange TinyBrowser (file uploader/manager) for TinyMCE
- CVE-2011-2448 Adobe ShockwaveDirector File Parsing data of rcsl chunk multiple DOS vulnerabilities
- TinymceFileBrowser
- MySQL 'sql_parse.cc' Multiple Format String Vulnerabilities
- PHPmyGallery Local and Remote File Include Vulnerabilities
- android studio集成微博出现错误multiple dex file define Lcon/sina/sso/RemoteSSO解决方法
- FCKeditor出现"this connector is disabled Please check the"editor/filemanager/connectors/aspx/config.aspx"错误的解决办法
- Multiple File Upload User Control
- SendFileToBrowser
- Warning: Multiple build commands for output file
- Oracle July 2007 Critical Patch Update Multiple Vulnerabilities
- 在ASP.NET中实现多文件上传(三)---jQuery Multiple File Upload Plugin
- TinyMCE's plugins: Ajax File Manager .Net for BlogEngine.Net
- FCKeditor(2.6)出现"this connector is disabled Please check the"editor/filemanager/connectors/aspx/conf
- Upload multiple files with a single file element
- TinyMCE Ajax File Manager suffers from a remote code execution vulnerability.
- Linux 下mysql 启动失败 Multiple MySQL running but PID file could not be found (1761 1448)[失败]
- 常用的富文本框插件FreeTextBox、CuteEditor、CKEditor、FCKEditor、TinyMCE、KindEditor ;和CKEditor实例
- Cannot create file"C:\Users\LML\AppData\Local\Temp\EditorLineEnds.ttr"。另一个程序正在使用此文件,进程无法访问。
- Multiple build commands for output file