TinyBrowser 1.32 Upload Shell Vulnerability

2012-11-14T00:00:00
ID 1337DAY-ID-19732
Type zdt
Reporter MustLive
Modified 2012-11-14T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            #  Title:  TinyBrowser 1.32 Upload Shell php.jpg_ Vulnerability 
# Google Dork:inurl:js/tiny_mce/plugins/tinybrowser/
-------------------------
Affected products:
-------------------------

Vulnerable are TinyBrowser v1.42 and previous versions (and all web
applications which are using it, such as TinyMCE). Developer fixed these
holes in the next version 1.43 already in February, after my informing, but
this version still was not released. So contact developer for new version.

----------
Details:
----------

Code Execution (WASC-31):

Execution of arbitrary code is possible due to bypass of program's security
filters (on web servers IIS and Apache).

Code will execute via file uploading. Program is vulnerable to three methods
of code execution:

1. Via using of symbol ";" (1.asp;.txt) in file name (IIS).

2. Via "1.asp" in folder name (IIS).

3. Via double extension (1.php.txt) (Apache with special configuration).

------------
Timeline:
------------

2011.02.11 - announced at my site.
2011.02.14 - informed developer.
2011.02.17 - developer answered, that he has just fixed them in the next
version 1.43.
2011.07.14 - disclosed at my site.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/4922/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 

Demo





http://asrotexgroup.com/js/tiny_mce/plugins/tinybrowser/upload.php
eana.com/iq/js/tiny_mce/plugins/tinybrowser
http://versosperfectos.com/js/tiny_mce/plugins/tinybrowser/upload.php
http://www.invernomuto.net/public/tpl_jupiter/js/tiny_mce/plugins/tinybrowser/tinybrowser.php



#  0day.today [2017-12-31]  #