As far as I see, Only Joomla 1.5.12. There is no tinybrowser plugin in < 1.5.12, which makes 1.5.12 unlucky.
They mentioned only just simple image upload. http://developer.joomla.org/security/news/301-20090722-core-file-upload.html When I tested it, I found more, which should be disclosed. Or else users will say 'just forget about it. image upload makes no problem.' On Wed, Jul 29, 2009 at 5:30 AM, laurent gaffie <laurent.gaf...@gmail.com>wrote: > ***this also affect any joomla! >1.5.* *** > > > 2009/7/28 YGN Ethical Hacker Group (http://yehg.net) <li...@yehg.net> > >> >> ============================================================================== >> TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple >> Vulnerabilities >> >> ============================================================================== >> >> Discovered by >> Aung Khant, YGN Ethical Hacker Group, Myanmar >> http://yehg.net/ ~ believe in full disclosure >> >> Advisory URL: >> >> http://yehg.net/lab/pr0js/advisories/tinybrowser_1416_multiple_vulnerabilities( >> http://yehg.net/lab/#advisories) >> Date published: 2009-07-27 >> Severity: High >> Vulnerability Class: Abuse of Functionality >> Affected Products: >> - TinyMCE editor with TinyBrowser plugin >> - Any web sites/web applications that use TinyMCE editor with TinyBrowser >> plugin >> >> >> Author: Bryn Jones (http://www.lunarvis.com) >> Author Contacted: Yes >> Reply: No reply >> >> >> Product Overview >> ================ >> >> TinyBrowser is a plugin of TinyMCE JavaScript editor that acts as >> file browser to view, upload, delete, rename files and folders on the >> web servers. TinyMCE is supposedly in wider use than its rival fckeditor >> due to faster loading and a little more cleaner interface. TinyMCE is >> mostly found in open-source web applications used as a textarea >> replacement >> html editor for allowing users to do text formatting with ease. >> >> Vulnerabilities >> ================== >> >> #1. Default Insecure Configurations >> >> Configuration settings shipped with tinybrowser are relatively insecure by >> >> default. They allow attackers to view, upload, delete, rename files and >> folders >> under its predefined upload directory. >> >> Casual web developers or users might just upload the TinyMCE browser >> without >> doing any configurations or they might do it later. >> Meanwhile, if an attacker luckily finds the tinybrowser directory, which >> is by default >> jscripts/tiny_mce/plugins/tinybrowser, he can do harm or abuse because of >> insecure default configurations. >> >> This was once a vulnerability of fckeditor (http://fckeditor.net) which >> has fixed >> its hole - if you run fckeditor's file upload page the first time, you'll >> see >> "This connector is disabled. Please check the ....". Tinybrowser should >> imitate >> like this. >> >> >> #2. Arbitrary Folder Creation >> >> Requesting the url [PATH]/tinybrowser.php?type=image&folder=hacked will >> create a folder named "hacked" in /useruploads/images/ directory if that >> folder does not exist. >> >> >> #3. Arbitrary File Hosting >> >> File: config_tinybrowser.php >> Code: >> // File upload size limit (0 is unlimited) >> $tinybrowser['maxsize']['image'] = 0; // Image file maximum size >> $tinybrowser['maxsize']['media'] = 0; // Media file maximum size >> $tinybrowser['maxsize']['file'] = 0; // Other file maximum size >> $tinybrowser['prohibited'] = >> array('php','php3','php4','php5','phtml','asp','aspx','ascx','jsp','cfm','cfc','pl','bat','exe','dll','reg','cgi', >> 'sh', 'py','asa','asax','config','com','inc'); >> // Prohibited file extensions >> >> The max allowable upload is not restricted. So it will depend only on web >> server's default setting or >> PHP timeout value. There are not many restricted file types. Here's a way >> to abuse: >> - Create a hidden directory by requesting >> [PATH]/upload.php?type=file&folder=.hostmyfiles >> - Then go to /upload.php?type=file&folder=.hostmyfiles >> - Host your sound, movie, pictures, zipped archives or even your sample >> HTML web sites for FREE! >> >> An evil trick to create seemingly interesting folder such as secret and >> host a >> browser-exploit html page that triggers drive-by-download trojan. >> When web master browses that folder and clicks the exploit file, then he >> gets owned. >> >> #4. Cross-site Scripting >> >> Most GET/POST variables are not sanitized. >> >> File: upload.php >> Code: >> $goodqty = (isset($_GET['goodfiles']) ? $_GET['goodfiles'] : 0); >> $badqty = (isset($_GET['badfiles']) ? $_GET['badfiles'] : 0); >> $dupqty = (isset($_GET['dupfiles']) ? $_GET['dupfiles'] : 0); >> >> Exploit: upload.php?badfiles=1"><script>alert(/XSS/)</script> >> >> #5. Cross-site Request Forgeries >> >> All major actions such as create, delete, rename files/folders are >> GET/POST XSRF-able. >> >> >> ######################################################################################### >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/