The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
High
PR
The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilities
Discovered by
Aung Khant, YGN Ethical Hacker Group, Myanmar
http://yehg.net/ ~ believe in full disclosure
Advisory URL:
http://yehg.net/lab/pr0js/advisories/tinybrowser_1416_multiple_vulnerabilities(
http://yehg.net/lab/#advisories)
Date published: 2009-07-27
Severity: High
Vulnerability Class: Abuse of Functionality
Affected Products:
- TinyMCE editor with TinyBrowser plugin
- Any web sites/web applications that use TinyMCE editor with TinyBrowser
plugin
Author: Bryn Jones (http://www.lunarvis.com)
Author Contacted: Yes
Reply: No reply
Product Overview
================
TinyBrowser is a plugin of TinyMCE JavaScript editor that acts as file browser to view, upload, delete, rename files and folders on the web servers. TinyMCE is supposedly in wider use than its trival fckeditor due to faster loading and a little more cleaner interface. TinyMCE is mostly found in open-source web applications used as a textarea replacement html editor for allowing users to do text formatting with ease.
Vulnerabilities
==================
#1. Default Insecure Configurations
Configuration settings shipped with tinybrowser are relatively insecure by default. They allow attackers to view, upload, delete, rename files and folders under its predefined upload directory.
Casual web developers or users might just upload the TinyMCE browser without doing any configurations or they might do it later. Meanwhile, if an attacker luckily finds the tinybrowser directory, which is by default jscripts/tiny_mce/plugins/tinybrowser, he can do harm or abuse because of insecure default configurations.
This was once a vulnerability of fckeditor (http://fckeditor.net) which has fixed its hole - if you run fckeditor's file upload page the first time, you'll see "This connector is disabled. Please check the ....". Tinybrowser should imitate like this.
#2. Arbitrary Folder Creation
Requesting the url [PATH]/tinybrowser.php?type=image&folder=hacked will create a folder named "hacked" in /useruploads/images/ directory if that folder does not exist.
#3. Arbitrary File Hosting
File: config_tinybrowser.php
Code:
// File upload size limit (0 is unlimited)
$tinybrowser['maxsize']['image'] = 0; // Image file maximum size
$tinybrowser['maxsize']['media'] = 0; // Media file maximum size
$tinybrowser['maxsize']['file'] = 0; // Other file maximum size
$tinybrowser['prohibited'] =
array('php','php3','php4','php5','phtml','asp','aspx','ascx','jsp','cfm','cfc','pl','bat','exe','dll','reg','cgi',
'sh', 'py','asa','asax','config','com','inc');
// Prohibited file extensions
The max allowable upload is not restricted. So it will depend only on web
server's default setting or
PHP timeout value. There are not many restricted file types. Here's a way to
abuse:
- Create a hidden directory by requesting
[PATH]/upload.php?type=file&folder=.hostmyfiles
- Then go to /upload.php?type=file&folder=.hostmyfiles
- Host your sound, movie, pictures, zipped archives or even your sample HTML
web sites for FREE!
An evil trick to create seemingly interesting folder such as secret and host
a
browser-exploit html page that triggers drive-by-download trojan.
When web master browses that folder and clicks the exploit file, then he
gets owned.
#4. Cross-site Scripting
Most GET/POST variables are not sanitized.
File: upload.php
Code:
$goodqty = (isset($_GET['goodfiles']) ? $_GET['goodfiles'] : 0);
$badqty = (isset($_GET['badfiles']) ? $_GET['badfiles'] : 0);
$dupqty = (isset($_GET['dupfiles']) ? $_GET['dupfiles'] : 0);
Exploit: upload.php?badfiles=1"><script>alert(/XSS/)</script>
#5. Cross-site Request Forgeries
All major actions such as create, delete, rename files/folders are GET/POST
XSRF-able.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum