News
Contributed by: Lauren Gerber
Date: July 30, 2009
Being a victim of a mugging or crime is never easy. In some cases people are required to seek counseling and the trauma seems to last long after the incident itself. The same concept applies to being a victim of an online crime, the consequences remain long after your machine has actually been attacked. An example would be if an online attacker manages to access your information and commit identity theft, can you imagine how long it would take you to recover. I am talking about recovering in all aspects, emotionally as well as financially. The best way to not go through any of this is to avoid becoming a victim, although in most cases this is easier said than done. I would like to tell you that there are some new vulnerabilities which need to be avoided that exist within the TinyBrowser web file browser, a product of Lunarvis. Let me first tell you more about the fantastic TinyBrowser. It is actually a customized file browser that was initially developed for the popular TINYMCE content editor. It comes with a great multiple file upload facility as well as file edit functions. The TinyBrowser has many remarkable features which can assist you in your day to day file activities, both for business as well as recreational usage. It supports the following browsers: Google Chrome, Opera 9, Safari 3, Firefox 2 as well as Internet Explorer 6. Some of the files of Internet Explorer 6 include: BCT9XP.BAT, BCTVER.EXE, CONAN.EXE as well as configure.com. Now let me explain more about the vulnerabilities. Basically malicious online attackers could exploit these issues in order to host certain arbitrary code on a machine that is insecure. The malicious online attacker will also be able to upload as well as delete arbitrary files, create folders as well as perform cross site scripting attacks. These attacks could unfortunately directly lead to other attacks on your machine.
Table 1. Some of the many features of TinyBrowser. The interesting news which should be brought to all users attention is that some of these vulnerabilities are claimed to be related to the vulnerabilities in Joomla.That is the remote file upload as well as information disclosure error within Joomla. I am sure that at this point you are wondering which versions are vulnerable. Do not despair, because I shall not keep you in despair any longer. The version of TinyBrowser that is vulnerable is version 1.41.6. Users should be aware of the factor that there is a risk of others versions also being affected. There are no patches available just yet, but if we keep a look out for one, it may just happen. I would like to leave you with a quote in conclusion: "You can't defend. You can't prevent. The only thing you can do is detect and respond."- Bruce Schneier |
|||||||||||
Software Downloads
User Comments
The author's explanation of how to set this up:
"
Just a general note to everyone, when you enable session control in the TinyBrowser configuration, you have to set a value for $tinybrowser ['sessioncheck'] - it should be changed to equal the name of whatever session variable you need to check. So, let's say you have a login system that sets a variable called $_SESSION['good_user'] on successful login, then the value in the TinyBrowser config for $tinybrowser['sessioncheck'] should be:
$tinybrowser['sessioncheck'] = 'good_user';
"
see http://tinymce.moxiecode.com/punb/viewtopic.php?pi d=46561