TinyBrowser Remote File Upload Vulnerability Analysis

From sentiment blog

Program description:
TinyBrowser allows you to configure whether to allow upload, deletion, editing, and other operations.
Supports multiple uploads and displays the upload progress.
Allows you to edit images, such as rotating images.
You can view the file based on the image name and thumbnail list.
Supports FCKeditor Editor
Vulnerability Analysis:

Next let's look at the upload. php program code
1 <? Php
2 require_once (config_tinybrowser.php );
3 // Set language
4 if (isset ($ tinybrowser [language]) & file_exists (langs/. $ tinybrowser [language].. php ))
5 {
6 require_once (langs/. $ tinybrowser [language] .. php );
7}
8 else
9 {
10 require_once (langs/en. php); // Falls back to English
11}
12 require_once (fns_tinybrowser.php );
13
14 // Check session, if it exists
15 if (session_id ()! =)
16 {
17 if (! Isset ($ _ SESSION [$ tinybrowser [sessioncheck])
18 {
19 echo TB_DENIED;
20 exit;
21}
22}
23
24 if (! $ Tinybrowser [allowupload])
25 {
26 echo TB_UPDENIED;
27 exit;
28}
29
30 // Assign get variables
31 $ validtypes = array (image, media, file );
32 $ typenow = (isset ($ _ GET [type]) & in_array ($ _ GET [type], $ validtypes ))? $ _ GET [type]: image );
33 $ foldernow = str_replace (array (.. /,.. \,. /,. \), ($ tinybrowser [allowfolders] & isset ($ _ REQUEST [folder])? Urldecode ($ _ REQUEST [folder]):);
34 $ passfolder = & folder =. urlencode ($ foldernow );
35 $ passfeid = (isset ($ _ GET [feid]) & $ _ GET [feid]! =? & Feid =. $ _ GET [feid]:);
36 $ passupfeid = (isset ($ _ GET [feid]) & $ _ GET [feid]! =? $ _ GET [feid]:);
37
38 // Assign upload path
39 $ uploadpath = urlencode ($ tinybrowser [path] [$ typenow]. $ foldernow );
40
41 // Assign directory structure to array
42 $ uploaddirs = array ();
43 dirtree ($ uploaddirs, $ tinybrowser [filetype] [$ typenow], $ tinybrowser [docroot], $ tinybrowser [path] [$ typenow]);
44
45 // determine file dialog file types
46 switch ($ _ GET [type])
47 {
48 case image:
49 $ filestr = TB_TYPEIMG;
50 break;
51 case media:
52 $ filestr = TB_TYPEMEDIA;
53 break;
54 case file:
55 $ filestr = TB_TYPEFILE;
56 break;
57}
58 $ fileexts = str_replace (",", ";", $ tinybrowser [filetype] [$ _ GET [type]);
59 $ filelist = $ filestr. (. $ tinybrowser [filetype] [$ _ GET [type].);
60
61 // Initalise alert array
62 $ policy = array (
63 type => array (),
64 message => array ()
65 );
66 $ goodqty = (isset ($ _ GET [goodfiles])? $ _ GET [goodfiles]: 0 );
67 $ badqty = (isset ($ _ GET [badfiles])? $ _ GET [badfiles]: 0 );
68 $ dupqty = (isset ($ _ GET [dupfiles])? $ _ GET [dupfiles]: 0 );
69
70 if ($ goodqty> 0)
71 {
72 $ policy [type] [] = success;
73 $ notify [message] [] = sprintf (TB_MSGUPGOOD, $ goodqty );
74}
75 if ($ badqty> 0)
76 {
77 $ policy [type] [] = failure;
78 $ messaging y [message] [] = sprintf (TB_MSGUPBAD, $ badqty );
79}
80 if ($ dupqty> 0)
81 {
82 $ policy [type] [] = failure;
83 $ policy [message] [] = sprintf (TB_MSGUPDUP, $ dupqty );
84}
85 if (isset ($ _ GET [permerror])
86 {
87 $ policy [type] [] = failure;
88 $ policy [message] [] = sprintf (TB_MSGUPFAIL, $ tinybrowser [docroot]. $ tinybrowser [path] [$ typenow]);
89}
90?>
91 <! DOCTYPE html PUBLIC "-// W3C // dtd xhtml 1.0 Strict // EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
92 93 94 <title> TinyBrowser: <? Php echo TB_UPLOAD;?> </Title>
95 <meta http-equiv = "Content-Type" content = "text/html; charset = UTF-8"/>
96 <meta http-equiv = "Pragma" content = "no-cache"/>
97 <? Php
98 if ($ passfeid ==& & $ tinybrowser [integration] = tinymce)
99 {
100?> <Link rel = "stylesheet" type = "text/css" media = "all" href = "<? Php echo $ tinybrowser [tinymcecss];?> "/> <? Php
101}
102 else
103 {
104?> <Link rel = "stylesheet" type = "text/css" media = "all" href = "css/stylefull_tinybrowser.css"/> <? Php
105}
106?>
107 <link rel = "stylesheet" type = "text/css" media = "all" href = "css/style_tinybrowser.css.php"/>
108 <script type = "text/javascript" src = "js/swfobject. js"> </script>
109 <script type = "text/javascript">
110 function uploadComplete (url ){
111 document. location = url;
112}
113 </script>
114 115 <body onload =
116 var so = new SWFObject ("flexupload.swf", "mymovie", "100%", "340", "9", "# ffffff ");
117 so. addVariable ("folder", "<? Php echo $ uploadpath;?> ");
118 so. addVariable ("uptype", "<? Php echo $ typenow;?> ");
119 so. addVariable ("destid", "<? Php echo $ passupfeid;?> ");
120 so. addVariable ("maxsize", "<? Php echo $ tinybrowser [maxsize] [$ _ GET [type];?> ");
121 so. addVariable ("sessid", "<? Php echo session_id ();?> ");
122 so. addVariable ("obfus", "<? Php echo md5 ($ _ SERVER [DOCUMENT_ROOT]. $ tinybrowser [obfuscate]);?> ");
123 so. addVariable ("filenames", "<? Php echo $ filelist;?> ");
124 so. addVariable ("extensions", "<? Php echo $ fileexts;?> ");
125 so. addVariable ("filenamelbl", "<? Php echo TB_FILENAME;?> ");
126 so. addVariable ("sizelbl", "<? Php echo TB_SIZE;?> ");
127 so. addVariable ("typelbl", "<? Php echo TB_TYPE;?> ");
128 so. addVariable ("progresslbl", "<? Php echo TB_PROGRESS;?> ");
129 so. addVariable ("browselbl", "<? Php echo TB_BROWSE;?> ");
130 so. addVariable ("removelbl", "<? Php echo TB_REMOVE;?> ");
131 so. addVariable ("uploadlbl ","