Ravens PHP Scripts - TinyMCE/TinyBrowser Cross-Site Scripting and Cross-Site Request Forgery

SECUNIA ADVISORY ID: SA36031

VERIFY ADVISORY: http://secunia.com/advisories/36031/

SEVERITY: High

AFFECTED PRODUCTS:
- TinyMCE editor with TinyBrowser plugin
- Any web sites/web applications that use TinyMCE editor with TinyBrowser plugin

DESCRIPTION: Aung Khant has reported some vulnerabilities in TinyBrowser, which can be exploited by malicious people to conduct cross-site scripting and cross-site request forgery attacks. The vulnerabilities are reported in version 1.41.6. Other versions may also be affected.

1) Input passed to the "goodfiles", "badfiles", and "dupfiles" parameters in upload.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. delete uploaded files if a logged-in user visits a specially crafted web site.

SOLUTION: Edit the source code to ensure that input is properly sanitised. Do not browse untrusted websites or follow untrusted links while logged in to the application.

PROVIDED AND/OR DISCOVERED BY: Aung Khant, YGN Ethical Hacker Group

ORIGINAL ADVISORY: http://yehg.net/lab/pr0js/advisories/tinybrowser_1416_multiple_vulnerabilities