Full Disclosure mailing list archives
Re: [Security-news] SA-CONTRIB-2012-040 - CKEditor and FCKeditor - multiple XSS, arbitrary code execution
From: InterN0T Advisories <advisories () intern0t net>
Date: Wed, 14 Mar 2012 16:28:29 -0400
<pre>FYI, this bug was recently fixed by the CKEditor Developers, as the bug itself was in the CKEditor module, not Drupal. (They just use it like everyone else.)<br /><br /><img src="http://i.imgur.com/IbRbx.jpg" alt="" width="749" height="780" /><br /><br />References:<br />https://dev.ckeditor.com/ticket/8630#comment:23<br />http://seclists.org/fulldisclosure/2012/Jan/279<br />http://forum.intern0t.org/intern0t-advisories/4102-drupal-ckeditor-3-0-3-6-2-persistent-eventhandler-cross-site-scripting.html<br />http://i.imgur.com/IbRbx.jpg<br /><br /><br /><br />Best regards,<br />MaXe<br /> On Wed, 14 Mar 2012 19:03:36 +0000 (UTC), security-news () drupal org wrote: > * Advisory ID: DRUPAL-SA-CONTRIB-2012-040 > * Project: CKEditor [1], FCKeditor [2] - WYSIWYG HTML editor (third-party > module) > * Version: 6.x, 7.x > * Date: 2012-March-14 > * Security risk: Highly critical [3] > * Exploitable from: Remote > * Vulnerability: Cross Site Scripting, Cross Site Request Forgery, > Arbitrary > PHP code execution > > -------- DESCRIPTION > --------------------------------------------------------- > > CKEditor and its predecessor FCKeditor allow Drupal to replace textarea > fields with the (F)CKEditor - a visual HTML WYSIWYG editor. > > The modules have an AJAX callback that filters text to prevent Cross site > scripting attacks on content edits. This AJAX callback function contains a > number of bugs which allow attackers to chose which filter to execute on > chosen text or bypass the filter entirely. > > The vulnerability can be used to conduct Cross site scripting (XSS) attacks > on privileged users. Attackers can also execute arbitrary PHP code if the > core PHP module is enabled. This can happen either directly or by enticing > a > privileged user to visit a page. > > Direct execution of PHP code requires that the attacker has the following > privileges: > > "access fckeditor" for FCKeditor 6.x > "access ckeditor" for CKEditor 6.x > > No additional permissions are required to directly exploit the PHP code > execution flaw on CKEditor 7.x. > > -------- VERSIONS AFFECTED > --------------------------------------------------- > > * FCKeditor 6.x-2.x versions prior to 6.x-2.3. > * CKEditor 6.x-1.x versions prior to 6.x-1.9. > * CKEditor 7.x-1.x versions prior to 7.x-1.7. > > Drupal core is not affected. If you do not use the contributed CKEditor - > WYSIWYG HTML editor [4] module, there is nothing you need to do. > > -------- SOLUTION > ------------------------------------------------------------ > > Install the latest version: > > * If you use the FCKeditor module for Drupal 6.x, upgrade to FCKeditor > 6.x-2.3 [5]. > * If you use the CKEditor module for Drupal 6.x, upgrade to CKEditor > 6.x-1.9 > [6]. > * If you use the CKEditor module for Drupal 7.x, upgrade to CKEditor > 7.x-1.7 > [7]. > > See also the CKEditor - WYSIWYG HTML editor [8] project page. > > -------- REPORTED BY > --------------------------------------------------------- > > * Heine Deelstra [9] of the Drupal Security Team > > -------- FIXED BY > ------------------------------------------------------------ > > * Wiktor Walc [10] the module maintainer > > -------- CONTACT AND MORE INFORMATION > ---------------------------------------- > > The Drupal security team can be reached at security at drupal.org or via > the > contact form at http://drupal.org/contact [11]. > > Learn more about the Drupal Security team and their policies [12], writing > secure code for Drupal [13], and securing your site [14]. > > > [1] http://drupal.org/project/ckeditor > [2] http://drupal.org/project/fckeditor > [3] http://drupal.org/security-team/risk-levels > [4] http://drupal.org/project/ckeditor > [5] http://drupal.org/node/1482442 > [6] http://drupal.org/node/1482480 > [7] http://drupal.org/node/1482466 > [8] http://drupal.org/project/ckeditor > [9] http://drupal.org/user/17943 > [10] http://drupal.org/user/184556 > [11] http://drupal.org/contact > [12] http://drupal.org/security-team > [13] http://drupal.org/writing-secure-code > [14] http://drupal.org/security/secure-configuration > > _______________________________________________ > Security-news mailing list > Security-news () drupal org > http://lists.drupal.org/mailman/listinfo/security-news > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/</pre> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [Security-news] SA-CONTRIB-2012-040 - CKEditor and FCKeditor - multiple XSS, arbitrary code execution security-news (Mar 14)
- Re: [Security-news] SA-CONTRIB-2012-040 - CKEditor and FCKeditor - multiple XSS, arbitrary code execution InterN0T Advisories (Mar 14)
- Re: [Security-news] SA-CONTRIB-2012-040 - CKEditor and FCKeditor - multiple XSS, arbitrary code execution InterN0T Advisories (Mar 14)
- Re: [Security-news] SA-CONTRIB-2012-040 - CKEditor and FCKeditor - multiple XSS, arbitrary code execution Greg Knaddison (Mar 15)
- Re: [Security-news] SA-CONTRIB-2012-040 - CKEditor and FCKeditor - multiple XSS, arbitrary code execution InterN0T Advisories (Mar 16)
- Re: [Security-news] SA-CONTRIB-2012-040 - CKEditor and FCKeditor - multiple XSS, arbitrary code execution Greg Knaddison (Mar 16)
- Re: [Security-news] SA-CONTRIB-2012-040 - CKEditor and FCKeditor - multiple XSS, arbitrary code execution Greg Knaddison (Mar 15)