TinyBrowser plugin exploit common on Joomla 1.5 installations

I tested this against Joomla 1.5.12 and indeed it is a security hole that can easily be exploited.

TinyBrowser is a plugin for the TinyMCE JavaScript editor that acts as a file browser to view, upload, delete and rename files and folders on your server.

Vulnerabilities

1. Default Insecure Configurations

Configuration settings shipped by default in the Tiny Browser are insecure and many uploaders of this plugin will not change them.  I have recently audited a couple of Joomla based sites for clients and found this to be the case.
jscripts/tiny_mce/plugins/tinybrowser is the default access path.

I remember fckeditor suffering a similar problem a while back and the final payload in a teaser directory is very similar.

2. Folder Creation by path request

Requesting /tinybrowser.php?type=image&folder=abc123 creates a folder named “abc123″ in the /useruploads/images/ directory.

3. File hosting attack

File: config_tinybrowser.php
Code:
// File upload size limit (0 is unlimited)
$tinybrowser[‘maxsize’][‘image’] = 0; // Image file maximum size
$tinybrowser[‘maxsize’][‘media’] = 0; // Media file maximum size
$tinybrowser[‘maxsize’][‘file’] = 0; // Other file maximum size
$tinybrowser[‘prohibited’] =
array(‘php’,’php3′,’php4′,’php5′,’phtml’,’asp’,’aspx’,’ascx’,’jsp’,’cfm’,’c
fc’,’pl’,’bat’,’exe’,’dll’,’reg’,’cgi’, ‘sh’,
‘py’,’asa’,’asax’,’config’,’com’,’inc’);
// Prohibited file extensions

There appears to be no maximum allowable upload (obviously the server may have this locked down).

To overwrite, we simply need to create a hidden directory by requesting
[full pathname]/upload.php?type=file&folder=.hiddendir

Then it’s a matter of going to /upload.php?type=file&folder=.hiddendir

My clients had Trojans in that folder, ready to be clicked and drop their payload onto the server.  Nasty. 

4. Cross-site Scripting

Most GET/POST variables are not sanitised.

File: upload.php
Code:
$goodqty = (isset($_GET[‘goodfiles’]) ? $_GET[‘goodfiles’] : 0);
$badqty = (isset($_GET[‘badfiles’]) ? $_GET[‘badfiles’] : 0);
$dupqty = (isset($_GET[‘dupfiles’]) ? $_GET[‘dupfiles’] : 0);

Exploit: upload.php?badfiles=1”><script>alert(/XSS/)</script>

5. Cross-site Request Forgeries

All major actions such as create,delete,rename files/folders are GET/POST
XSRF-able.

All in all, a nasty vulnerability that requires instant patching.  I am seeing lots of requests for this pathname on non-Joomla sites so there are lots of automated bot attacks out there.  Patch up or be hacked.

2 Responses to “TinyBrowser plugin exploit common on Joomla 1.5 installations”

  1. Mark

    Change the title, the exploit has nothing to do with TinyMCE, it is TinyBrowser that has the vurnerability.

    Reply

Leave a Reply