Edit Report

Our sensors found this exploit at:

Below is a copy:

 TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilities

Discovered by
Aung Khant, YGN Ethical Hacker Group, Myanmar ~ believe in full disclosure

Advisory URL:
Date published: 2009-07-27
Severity: High
Vulnerability Class: Abuse of Functionality
Affected Products:
- TinyMCE editor with TinyBrowser plugin
- Any web sites/web applications that use TinyMCE editor with TinyBrowser

Author: Bryn Jones (
Author Contacted: Yes
Reply: No reply

Product Overview

TinyBrowser is a plugin of TinyMCE JavaScript editor that acts as file browser to view, upload, delete, rename files and folders on the web servers. TinyMCE is supposedly in wider use than its trival fckeditor due to faster loading and a little more cleaner interface. TinyMCE is mostly found in open-source web applications used as a textarea replacement html editor for allowing users to do text formatting with ease.


#1. Default Insecure Configurations

Configuration settings shipped with tinybrowser are relatively insecure by default. They allow attackers to view, upload, delete, rename files and folders under its predefined upload directory.

Casual web developers or users might just upload the TinyMCE browser without doing any configurations or they might do it later. Meanwhile, if an attacker luckily finds the tinybrowser directory, which is by default jscripts/tiny_mce/plugins/tinybrowser, he can do harm or abuse because of insecure default configurations.

This was once a vulnerability of fckeditor ( which has fixed its hole - if you run fckeditor's file upload page the first time, you'll see "This connector is disabled. Please check the ....". Tinybrowser should imitate like this.

#2. Arbitrary Folder Creation

Requesting the url [PATH]/tinybrowser.php?type=image&folder=hacked will create a folder named "hacked" in /useruploads/images/ directory if that folder does not exist.

#3. Arbitrary File Hosting

File: config_tinybrowser.php
// File upload size limit (0 is unlimited)
$tinybrowser['maxsize']['image'] = 0; // Image file maximum size
$tinybrowser['maxsize']['media'] = 0; // Media file maximum size
$tinybrowser['maxsize']['file']  = 0; // Other file maximum size
$tinybrowser['prohibited'] =
'sh', 'py','asa','asax','config','com','inc');
// Prohibited file extensions

The max allowable upload is not restricted. So it will depend only on web
server's default setting or
PHP timeout value. There are not many restricted file types. Here's a way to
- Create a hidden directory by requesting
- Then go to /upload.php?type=file&folder=.hostmyfiles
- Host your sound, movie, pictures, zipped archives or even your sample HTML
web sites for FREE!

An evil trick to create seemingly interesting folder such as secret and host
browser-exploit html page that triggers drive-by-download trojan.
When web master browses that folder and clicks the exploit file, then he
gets owned.

#4. Cross-site Scripting

Most GET/POST variables are not sanitized.

File: upload.php
$goodqty = (isset($_GET['goodfiles']) ? $_GET['goodfiles'] : 0);
$badqty = (isset($_GET['badfiles']) ? $_GET['badfiles'] : 0);
$dupqty = (isset($_GET['dupfiles']) ? $_GET['dupfiles'] : 0);

Exploit: upload.php?badfiles=1"><script>alert(/XSS/)</script>

#5. Cross-site Request Forgeries

All major actions such as create, delete, rename files/folders are GET/POST

Copyright ©2023 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.