One of my clients recently found out the hard way that there’s a security hole in the tinybrowser plugin for tinyMCE. It’s a quick fix if you’re already using a session variable to manage authenticated users. But it’s not necessarily a straightforward fix if your sessions are managed by Zend_Auth or some other framework.
As gaping a hole as it is, I’m surprised the plugin maker didn’t create some kind of idiot-proofing measures. Then again, it’s a bit like using a firearm: you have to be smart enough to not look down the barrel…
What’s even more surprising is that this is not only exploitable on tons of sites running some of the most popular CMS packages, but that you can actually use Google to find exploitable sites! This has been a known issue for a few years now, but there are still far too many vulnerable sites.
I’m hesitant to give too many details here, as I don’t want to propagate the issue. It’s already too easy a hole to find. But to at least keep non-authorized users from uploading literally anything they want to your site, be sure to open the configuration file and uncomment the following lines:
session_start(); $tinybrowser['sessioncheck'] = 'yourSessVarName'; //name of session variable to check
If you’re concerned about your own site and would like a simple way to see if it’s vulnerable, contact me and I’ll send details.