TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilities

==============================================================================
 TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilities
==============================================================================

Discovered by 
Aung Khant, YGN Ethical Hacker Group, Myanmar 
http://yehg.net/ ~ believe in full disclosure

Advisory URL:
http://yehg.net/lab/pr0js/advisories/tinybrowser_1416_multiple_vulnerabilities
Date published: 2009-07-27
Severity: High
Vulnerability Class: Abuse of Functionality
Affected Products: 
- TinyMCE editor with TinyBrowser plugin
- Any web sites/web applications that use TinyMCE editor with TinyBrowser plugin


Author: Bryn Jones (http://www.lunarvis.com)
Author Contacted: Yes
Reply: No reply 


Product Overview
================

TinyBrowser is a plugin of TinyMCE JavaScript editor that acts as 
file browser to view, upload, delete, rename files and folders on the 
web servers. 


Vulnerabilities
==================

#1. Default Insecure Configurations 

Configuration settings shipped with tinybrowser are relatively insecure by 
default. They allow attackers to view, upload, delete, rename files and folders 
under its predefined upload directory. 

Casual web developers or users might just upload the TinyMCE browser without
doing any configurations or they might do it later. 
Meanwhile, if an attacker luckily finds the tinybrowser directory, which is by default
jscripts/tiny_mce/plugins/tinybrowser, he can do harm or abuse because of 
insecure default configurations.

This was once a vulnerability of fckeditor (http://fckeditor.net) which has fixed
its hole - if you run fckeditor's file upload page the first time, you'll see
"This connector is disabled. Please check the ....". Tinybrowser should imitate 
like this.


#2. Arbitrary Folder Creation

Requesting the url [PATH]/tinybrowser.php?type=image&folder=hacked will
create a folder named "hacked" in /useruploads/images/ directory if that 
folder does not exist.


#3. Arbitrary File Hosting

File: config_tinybrowser.php
Code:
// File upload size limit (0 is unlimited)
$tinybrowser['maxsize']['image'] = 0; // Image file maximum size
$tinybrowser['maxsize']['media'] = 0; // Media file maximum size
$tinybrowser['maxsize']['file']  = 0; // Other file maximum size
$tinybrowser['prohibited'] = array('php','php3','php4','php5','phtml','asp','aspx','ascx','jsp','cfm','cfc','pl','bat','exe','dll','reg','cgi', 'sh', 'py','asa','asax','config','com','inc');
// Prohibited file extensions

The max allowable upload is not restricted. So it will depend only on web server's default setting or 
PHP timeout value. There are not many restricted file types. Here's a way to abuse:
- Create a hidden directory by requesting [PATH]/upload.php?type=file&folder=.hostmyfiles  
- Then go to /upload.php?type=file&folder=.hostmyfiles
- Host your sound, movie, pictures, zipped archives or even your sample HTML web sites for FREE!

An evil trick to create seemingly interesting folder such as secret and host a 
browser-exploit html page that triggers drive-by-download trojan. 
When web master browses that folder and clicks the exploit file, then he gets owned.

#4. Cross-site Scripting

Most GET/POST variables are not sanitized.

File: upload.php
Code: 
$goodqty = (isset($_GET['goodfiles']) ? $_GET['goodfiles'] : 0);
$badqty = (isset($_GET['badfiles']) ? $_GET['badfiles'] : 0);
$dupqty = (isset($_GET['dupfiles']) ? $_GET['dupfiles'] : 0);

Exploit: upload.php?badfiles=1"><script>alert(/XSS/)</script>

#5. Cross-site Request Forgeries

All major actions such as create, delete, rename files/folders are GET/POST XSRF-able.

#########################################################################################

# milw0rm.com [2009-07-28]