TinyBrowser 1.41.6 XSS / XSRF / Creation

2009-07-28T00:00:00
ID PACKETSTORM:79722
Type packetstorm
Reporter Aung Khant
Modified 2009-07-28T00:00:00

Description

                                        
                                            `==============================================================================  
TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilitis  
==============================================================================  
  
Discovered by   
Aung Khant, YGN Ethical Hacker Group, Myanmar   
http://yehg.net/ ~ believe in full disclosure  
  
Advisory URL:  
http://yehg.net/lab/pr0js/advisories/tinybrowser_1416_multiple_vulnerabilities  
Date published: 2009-07-27  
Severity: High  
Vulnerability Class: Abuse of Functionality  
  
Author: Bryn Jones (http://www.lunarvis.com)  
Author Contacted: Yes  
Reply: No reply   
  
  
Product Overview  
================  
  
TinyBrowser is a plugin of TinyMCE JavaScript editor that acts as   
file browser to view, upload, delete,rename files and folders on the   
web servers.  
  
Vulnerabilities  
==================  
  
#1. Default Insecure Configurations   
  
Configuration settings shipped with tinybrowser are relatively insecure by   
default. They allow attackers to view, upload, delete,rename files and folders   
under its predefined upload directory.   
  
Casual web developers or users might just upload the tinymce browser without  
doing any configurations or they might do it later.   
Meanwhile,if an attacker luckily finds the tinybrowser directory, which is by default  
jscripts/tiny_mce/plugins/tinybrowser, he can do harm or abuse because of   
insecure default configurations.  
  
This was once a vulnerability of fckeditor(http://fckeditor.net) which has fixed  
its hole - if you run fckeditor's file upload page the first time, you'll see  
"This connector is disabled. Please check the ....". Tinybrowser should imitate   
like this.  
  
  
#2. Arbitrary Folder Creation  
  
Requesting the url [PATH]/tinybrowser.php?type=image&folder=hacked will  
create a folder named "hacked" in /useruploads/images/ directory if that   
folder does not exist.  
  
  
#3. Arbitrary File Hosting  
  
File: config_tinybrowser.php  
Code:  
// File upload size limit (0 is unlimited)  
$tinybrowser['maxsize']['image'] = 0; // Image file maximum size  
$tinybrowser['maxsize']['media'] = 0; // Media file maximum size  
$tinybrowser['maxsize']['file'] = 0; // Other file maximum size  
$tinybrowser['prohibited'] = array('php','php3','php4','php5','phtml','asp','aspx','ascx','jsp','cfm','cfc','pl','bat','exe','dll','reg','cgi', 'sh', 'py','asa','asax','config','com','inc');  
// Prohibited file extensions  
  
The max allowable upload is not restricted. So it will depend only on web server's default setting or   
PHP timeout value. There are not many restricted file types. Here's a way to abuse:  
- Create a hidden directory by requesting [PATH]/upload.php?type=file&folder=.hostmyfiles   
- Then go to /upload.php?type=file&folder=.hostmyfiles  
- Host your sound,movie,pictures,zipped archives or even your sample HTML web sites for FREE!  
  
An evil trick to create seemingly interesting folder such as secret and host a   
browser-exploit html page that triggers drive-by-download trojan.   
When web master browses that folder and clicks the exploit file, then he gets owned.  
  
#4. Cross-site Scripting  
  
Most GET/POST variables are not sanitized.  
  
File: upload.php  
Code:   
$goodqty = (isset($_GET['goodfiles']) ? $_GET['goodfiles'] : 0);  
$badqty = (isset($_GET['badfiles']) ? $_GET['badfiles'] : 0);  
$dupqty = (isset($_GET['dupfiles']) ? $_GET['dupfiles'] : 0);  
  
Exploit: upload.php?badfiles=1"><script>alert(/XSS/)</script>  
  
#5. Cross-site Request Forgeries  
  
All major actions such as create,delete,rename files/folders are GET/POST XSRF-able.  
  
###########################################################################  
  
A Word  
=========  
  
Do not put the blame on the user who might always be lame and lazy to config for security.   
Make your software secure by default.  
Making things insecure by default is a human(developer/programmer) issue of all (past/current/coming) years round.   
Welcome to insecurities. We love'em.  
  
  
`