# Exploit Title: Persistent XSS in wysiwyg CKEditor <4.1 Drupal 6.x & 7.x
# Date: 15/05/2013
# Exploit Author: r0ng
# Vendor Homepage: http://www.websitesecurityscan.net, http://www.hackers2devnull.blogspot.co.uk
# Software Links: http://ckeditor.com/release/CKEditor-4.0.3, http://drupal.org/download
# Version: CKEditor <4.1, wysiwyg (all versions), Drupal 6.x and 7.x
# Tested on: Firefox 21, IE 10, Chrome (v.26 now blocks it, unsure when this change was implemented)
# Sites affected: approximately 180,000 drupal sites use ckeditor (http://drupal.org/project/usage/ckeditor)

# Configuration:
# -Default installation of Drupal 6.x and 7.x
# -Default input filters (filtered HTML, disable rich text)

[+] Vulnerability:

By posting the following vector into a comment or a content post, a hidden iframe executes unrestricted javascript when viewed in edit mode (document.cookie is accessible). The attack vector is concealed when viewing the post normally and can be exploited by persuading the admin to edit a user's post or by them following a direct link, e.g.: http://website/node/4/edit.

[+] Vector - hidden iframe with URL encoded script tags

<iframe src="data:text/html; charset=utf-8,%3cscript%3ealert(document.cookie);%3c/script%3e" width="1" height="1" frameborder="0"></iframe>

[+] Disclosure and Fix:

This was disclosed to Drupal on 20/01/13, and was fixed with the release of ckeditor 4.1 (21/03/13).

Rate this post
Брой прочитания на тази страница: 1660
CKEditor < 4.1 Drupal 6.x & 7.x – Persistent XSS Vulnerability
Tagged on:     

Вашият коментар

Вашият имейл адрес няма да бъде публикуван. Задължителните полета са отбелязани с *