Advisory 26/2005: TinyMCE Compressor Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Advisory 26/2005: TinyMCE Compressor Vulnerabilities
From: Stefan Esser <sesser@xxxxxxxxxxxxxxxx>
Date: Thu, 29 Dec 2005 21:47:12 +0100
Cc: phpsec@xxxxxxxxxxx
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mutt/1.5.8i

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                        Hardened-PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-


     Advisory: TinyMCE Compressor Vulnerabilities
 Release Date: 2005/12/29
Last Modified: 2005/12/29
       Author: Stefan Esser [sesser@xxxxxxxxxxxxxxxx]

  Application: TinyMCE Compressor <= 1.0.5
               Applications that bundle it like Wordpress 2.0
     Severity: Unchecked user input is directly used within filenames
               or printed into the output buffer which allows disclosure 
               of arbitrary files and XSS attacks
         Risk: Medium
Vendor Status: Vendor has released an updated version
   References: http://www.hardened-php.net/advisory_262005.111.html


Overview:

   TinyMCE is a platform independent web based Javascript HTML WYSIWYG 
   editor control released as Open Source under LGPL by Moxiecode 
   Systems AB. It has the ability to convert HTML TEXTAREA fields or 
   other HTML elements to editor instances. TinyMCE is very easy to 
   integrate into other CMS systems.
   
   The TinyMCE Compressor is a PHP script available by the TinyMCE
   developers that compressed the generated JavaScript up to 70% to
   greatly increase the speed of TinyMCE.

   A quick audit of the compressor script revealed that several
   user supplied input variables are not checked and used directly to 
   construct filenames for files that are returned to the user.
   Additionally some variables are directly printed to the request
   body. This can be used by attackers to not only view files on the 
   server but also for Cross Site Scripting (XSS) attacks.


Details:

   TinyMCE optionally comes with a PHP script that handles compression
   of generated JavaScript output up to 70% and is used to improve the
   speed of TinyMCE greatly. TinyMCE as HTML WYSIWYG editor is often
   bundled with 3rd party applications, like the recently released
   Wordpress 2.0 blogging software.
   
   The TinyMCE compressor script allows the selection of things like
   language, plugins, themes from within URL variables and does not
   properly validate them. Because there is no check enforced on the
   content of these variables it is possible to specify not only
   illegal but also filenames outside of the dedicated directories.
   It is only required to truncate the end of the filename with for
   example an ASCII NUL. Which is for example not possible when the
   server is running the latest version of the Hardening-Patch for PHP.
   
   If the attacker succeeds in supplying a name of a file reachable by
   the webserver user TinyMCE Compressor will print it's content into
   the request body, leading to a file disclosure vulnerability. It
   is obvious that if the attacker is able to inject JavaScript into
   a file on the server and is able to include this file, that he can
   use this for Cross Site Scripting (XSS) attacks.
   
   Additionally to the file disclosure vulnerability variables like
   'index' are directly printed into the request body and therefore
   it is possible to directly inject any kind of HTML/JavaScript tags
   into the output. It is obvious that this leads to possible XSS 
   attacks.
         

Proof of Concept:

   The Hardened-PHP project is not going to release exploits for 
   this vulnerability to the public.


Disclosure Timeline:

   27. December 2005 - Disclosed vulnerability to vendor
   27. December 2005 - During the following coffee break the
                       vendor response arrived
   27. December 2005 - Five hours after our notification a
                       fixed version is released, unfortunately
                       the fix was incomplete
   29. December 2005 - Vendor releases the corrected version
   29. December 2005 - Public Disclosure


Recommendation:

   It is strongly recommended to upgrade to the new version of
   TinyMCE Compressor which you can download at:

      http://tinymce.moxiecode.com/download.php
      
   Additionally we recommend installing our Hardening-Patch for
   PHP which makes part of the discovered vulnerabilities un-
   exploitable.


GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2005 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFDtFYBRDkUzAqGSqERAvf7AJ9IeskRnPSVohl29DztFQi6MKvfkwCgraw+
Lte0WOm/B7Jf2HUJnHQjGcM=
=XD9G
-----END PGP SIGNATURE-----

Prev by Date: Secunia Research: TUGZip ARJ Archive Handling Buffer Overflow Vulnerability
Next by Date: Re: Exploitation of Windows WMF on the web
Previous by thread: Secunia Research: TUGZip ARJ Archive Handling Buffer Overflow Vulnerability
Next by thread: WTF??
Index(es):
- Date
- Thread