SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   TinyMCE Compressor Vendors:   Moxiecode Systems
TinyMCE Compressor Input Validation Bug Discloses File Contents and Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1015424
SecurityTracker URL:  http://securitytracker.com/id/1015424
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 30 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.05 and prior versions
Description:   A vulnerability was reported in TinyMCE Compressor. A remote user can view the contents of files on the target system. A remote user can conduct cross-site scripting attacks.

The script does not properly validate user-supplied input from URL parameters. A remote user may be able to supply a specially crafted filename as a parameter value to cause the script to display the file contents.

A remote user can also create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the TinyMCE software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The specific impact depends on the application that uses TinyMCE Compressor.

The vendor was notified on December 27, 2005.

Stefan Esser of the Hardened-PHP Project reported this vulnerability.

The original advisory is available at:

http://www.hardened-php.net/advisory_262005.111.html

Impact:   A remote user can view the contents of files on the target system.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the TinyMCE software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   The vendor has issued a fixed version (1.06), available at:

http://tinymce.moxiecode.com/download.php

Vendor URL:  tinymce.moxiecode.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] Advisory 26/2005: TinyMCE Compressor

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                        Hardened-PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-


     Advisory: TinyMCE Compressor Vulnerabilities
 Release Date: 2005/12/29
Last Modified: 2005/12/29
       Author: Stefan Esser [sesser@hardened-php.net]

  Application: TinyMCE Compressor <= 1.0.5
               Applications that bundle it like Wordpress 2.0
     Severity: Unchecked user input is directly used within filenames
               or printed into the output buffer which allows disclosure 
	       of arbitrary files and XSS attacks
         Risk: Medium
Vendor Status: Vendor has released an updated version
   References: http://www.hardened-php.net/advisory_262005.111.html


Overview:

   TinyMCE is a platform independent web based Javascript HTML WYSIWYG 
   editor control released as Open Source under LGPL by Moxiecode 
   Systems AB. It has the ability to convert HTML TEXTAREA fields or 
   other HTML elements to editor instances. TinyMCE is very easy to 
   integrate into other CMS systems.
   
   The TinyMCE Compressor is a PHP script available by the TinyMCE
   developers that compressed the generated JavaScript up to 70% to
   greatly increase the speed of TinyMCE.

   A quick audit of the compressor script revealed that several
   user supplied input variables are not checked and used directly to 
   construct filenames for files that are returned to the user.
   Additionally some variables are directly printed to the request
   body. This can be used by attackers to not only view files on the 
   server but also for Cross Site Scripting (XSS) attacks.


Details:

   TinyMCE optionally comes with a PHP script that handles compression
   of generated JavaScript output up to 70% and is used to improve the
   speed of TinyMCE greatly. TinyMCE as HTML WYSIWYG editor is often
   bundled with 3rd party applications, like the recently released
   Wordpress 2.0 blogging software.
   
   The TinyMCE compressor script allows the selection of things like
   language, plugins, themes from within URL variables and does not
   properly validate them. Because there is no check enforced on the
   content of these variables it is possible to specify not only
   illegal but also filenames outside of the dedicated directories.
   It is only required to truncate the end of the filename with for
   example an ASCII NUL. Which is for example not possible when the
   server is running the latest version of the Hardening-Patch for PHP.
   
   If the attacker succeeds in supplying a name of a file reachable by
   the webserver user TinyMCE Compressor will print it's content into
   the request body, leading to a file disclosure vulnerability. It
   is obvious that if the attacker is able to inject JavaScript into
   a file on the server and is able to include this file, that he can
   use this for Cross Site Scripting (XSS) attacks.
   
   Additionally to the file disclosure vulnerability variables like
   'index' are directly printed into the request body and therefore
   it is possible to directly inject any kind of HTML/JavaScript tags
   into the output. It is obvious that this leads to possible XSS 
   attacks.
   	 

Proof of Concept:

   The Hardened-PHP project is not going to release exploits for 
   this vulnerability to the public.


Disclosure Timeline:

   27. December 2005 - Disclosed vulnerability to vendor
   27. December 2005 - During the following coffee break the
                       vendor response arrived
   27. December 2005 - Five hours after our notification a
                       fixed version is released, unfortunately
                       the fix was incomplete
   29. December 2005 - Vendor releases the corrected version
   29. December 2005 - Public Disclosure


Recommendation:

   It is strongly recommended to upgrade to the new version of
   TinyMCE Compressor which you can download at:

      http://tinymce.moxiecode.com/download.php
      
   Additionally we recommend installing our Hardening-Patch for
   PHP which makes part of the discovered vulnerabilities un-
   exploitable.


GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2005 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFDtFYBRDkUzAqGSqERAvf7AJ9IeskRnPSVohl29DztFQi6MKvfkwCgraw+
Lte0WOm/B7Jf2HUJnHQjGcM=
=XD9G
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC