TinyMCE Compressor Vulnerabilities

Credit: Stefan Esser
Risk: Low
Local: No
Remote: Yes

CVSS Base Score: 6.4/10
Impact Subscore: 4.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hardened-PHP Project www.hardened-php.net -= Security Advisory =- Advisory: TinyMCE Compressor Vulnerabilities Release Date: 2005/12/29 Last Modified: 2005/12/29 Author: Stefan Esser [sesser (at) hardened-php (dot) net [email concealed]] Application: TinyMCE Compressor <= 1.0.5 Applications that bundle it like Wordpress 2.0 Severity: Unchecked user input is directly used within filenames or printed into the output buffer which allows disclosure of arbitrary files and XSS attacks Risk: Medium Vendor Status: Vendor has released an updated version References: http://www.hardened-php.net/advisory_262005.111.html Overview: TinyMCE is a platform independent web based Javascript HTML WYSIWYG editor control released as Open Source under LGPL by Moxiecode Systems AB. It has the ability to convert HTML TEXTAREA fields or other HTML elements to editor instances. TinyMCE is very easy to integrate into other CMS systems. The TinyMCE Compressor is a PHP script available by the TinyMCE developers that compressed the generated JavaScript up to 70% to greatly increase the speed of TinyMCE. A quick audit of the compressor script revealed that several user supplied input variables are not checked and used directly to construct filenames for files that are returned to the user. Additionally some variables are directly printed to the request body. This can be used by attackers to not only view files on the server but also for Cross Site Scripting (XSS) attacks. Details: TinyMCE optionally comes with a PHP script that handles compression of generated JavaScript output up to 70% and is used to improve the speed of TinyMCE greatly. TinyMCE as HTML WYSIWYG editor is often bundled with 3rd party applications, like the recently released Wordpress 2.0 blogging software. The TinyMCE compressor script allows the selection of things like language, plugins, themes from within URL variables and does not properly validate them. Because there is no check enforced on the content of these variables it is possible to specify not only illegal but also filenames outside of the dedicated directories. It is only required to truncate the end of the filename with for example an ASCII NUL. Which is for example not possible when the server is running the latest version of the Hardening-Patch for PHP. If the attacker succeeds in supplying a name of a file reachable by the webserver user TinyMCE Compressor will print it's content into the request body, leading to a file disclosure vulnerability. It is obvious that if the attacker is able to inject JavaScript into a file on the server and is able to include this file, that he can use this for Cross Site Scripting (XSS) attacks. Additionally to the file disclosure vulnerability variables like 'index' are directly printed into the request body and therefore it is possible to directly inject any kind of HTML/JavaScript tags into the output. It is obvious that this leads to possible XSS attacks. Proof of Concept: The Hardened-PHP project is not going to release exploits for this vulnerability to the public. Disclosure Timeline: 27. December 2005 - Disclosed vulnerability to vendor 27. December 2005 - During the following coffee break the vendor response arrived 27. December 2005 - Five hours after our notification a fixed version is released, unfortunately the fix was incomplete 29. December 2005 - Vendor releases the corrected version 29. December 2005 - Public Disclosure Recommendation: It is strongly recommended to upgrade to the new version of TinyMCE Compressor which you can download at: http://tinymce.moxiecode.com/download.php Additionally we recommend installing our Hardening-Patch for PHP which makes part of the discovered vulnerabilities un- exploitable. GPG-Key: http://www.hardened-php.net/hardened-php-signature-key.asc pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1 Copyright 2005 Stefan Esser. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQFDtFYBRDkUzAqGSqERAvf7AJ9IeskRnPSVohl29DztFQi6MKvfkwCgraw+ Lte0WOm/B7Jf2HUJnHQjGcM= =XD9G -----END PGP SIGNATURE-----

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com


Back to Top