Tuesday, July 28, 2009

TinyBrowser (TinyMCE Editor Plugin) 1.41.6 <= Multiple Vulnerabilities

==============================================================================
TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilitis
==============================================================================

Discovered by
Aung Khant, YGN Ethical Hacker Group, Myanmar
http://yehg.net/ ~ believe in full disclosure

OSVDB ID: 56602, 56603
Secunia Advisory ID: 36031

Advisory URL:
http://yehg.net/lab/pr0js/advisories/tinybrowser_1416_multiple_vulnerabilities
Date published: 2009-07-27
Severity: High
Vulnerability Class: Abuse of Functionality

Author: Bryn Jones (http://www.lunarvis.com)
Author Contacted: Yes
Reply: No reply


Product Overview
================

TinyBrowser is a plugin of TinyMCE JavaScript editor that acts as
file browser to view, upload, delete,rename files and folders on the
web servers.

Vulnerabilities
==================

#1. Default Insecure Configurations

Configuration settings shipped with tinybrowser are relatively insecure by
default. They allow attackers to view, upload, delete,rename files and folders
under its predefined upload directory.

Casual web developers or users might just upload the tinymce browser without
doing any configurations or they might do it later.
Meanwhile,if an attacker luckily finds the tinybrowser directory, which is by default
jscripts/tiny_mce/plugins/tinybrowser, he can do harm or abuse because of
insecure default configurations.

This was once a vulnerability of fckeditor(http://fckeditor.net) which has fixed
its hole - if you run fckeditor's file upload page the first time, you'll see
"This connector is disabled. Please check the ....". Tinybrowser should imitate
like this.


#2. Arbitrary Folder Creation

Requesting the url [PATH]/tinybrowser.php?type=image&folder=hacked will
create a folder named "hacked" in /useruploads/images/ directory if that
folder does not exist.


#3. Arbitrary File Hosting

File: config_tinybrowser.php
Code:
// File upload size limit (0 is unlimited)
$tinybrowser['maxsize']['image'] = 0; // Image file maximum size
$tinybrowser['maxsize']['media'] = 0; // Media file maximum size
$tinybrowser['maxsize']['file'] = 0; // Other file maximum size
$tinybrowser['prohibited'] = array('php','php3','php4','php5','phtml','asp','aspx','ascx','jsp','cfm','cfc','pl','bat','exe','dll','reg','cgi', 'sh', 'py','asa','asax','config','com','inc');
// Prohibited file extensions

The max allowable upload is not restricted. So it will depend only on web server's default setting or
PHP timeout value. There are not many restricted file types. Here's a way to abuse:
- Create a hidden directory by requesting [PATH]/upload.php?type=file&folder=.hostmyfiles
- Then go to /upload.php?type=file&folder=.hostmyfiles
- Host your sound,movie,pictures,zipped archives or even your sample HTML web sites for FREE!

An evil trick to create seemingly interesting folder such as secret and host a
browser-exploit html page that triggers drive-by-download trojan.
When web master browses that folder and clicks the exploit file, then he gets owned.

#4. Cross-site Scripting

Most GET/POST variables are not sanitized.

File: upload.php
Code:
$goodqty = (isset($_GET['goodfiles']) ? $_GET['goodfiles'] : 0);
$badqty = (isset($_GET['badfiles']) ? $_GET['badfiles'] : 0);
$dupqty = (isset($_GET['dupfiles']) ? $_GET['dupfiles'] : 0);

Exploit: upload.php?badfiles=1{XSS}

#5. Cross-site Request Forgeries

All major actions such as create,delete,rename files/folders are GET/POST XSRF-able.

###########################################################################

A Word
=========

Do not put the blame on the user who might always be lame and lazy to config for security.
Make your software secure by default.
Making things insecure by default is a human(developer/programmer) issue of all (past/current/coming) years round.
Welcome to insecurities. We love'em.

No comments:

Post a Comment