82 | | Reproduced at online demo page at ckeditor.com, changed source content to: <img src="http://farm4.staticflickr.com/3003/3312196469_7d13c53bdd.jpg" onload="alert(0);" /> and previewed in html mode. |
| 82 | Reproduced at online demo page at ckeditor.com, changed source content to: <img src="http://farm4.staticflickr.com/3003/3312196469_7d13c53bdd.jpg" onload="alert(0);" /> and previewed in html mode. Internet Explorer 8.0 |
| 83 | |
| 84 | |
| 85 | Drupal CKEditor - Persistent / Stored Cross-Site Scripting |
| 86 | |
| 87 | |
| 88 | Versions Affected: 3.6.2 (Possibly all versions that supports eventhandler injection.) |
| 89 | |
| 90 | Info: |
| 91 | CKEditor is a text editor to be used inside web pages. It's a WYSIWYG editor, which |
| 92 | means that the text being edited on it looks as similar as possible to the results users |
| 93 | have when publishing it. It brings to the web common editing features found on desktop |
| 94 | editing applications like Microsoft Word and OpenOffice. |
| 95 | |
| 96 | External Links: |
| 97 | http://ckeditor.com/ |
| 98 | http://drupal.org/node/1332022 |
| 99 | |
| 100 | Credits: MaXe (@InterN0T) |
| 101 | |
| 102 | |
| 103 | -:: The Advisory ::- |
| 104 | CKEditor is prone to Persistent Cross-Site Scripting within the actual editor, as |
| 105 | it is possible for an attacker could maliciously inject eventhandlers serving java- |
| 106 | script code in preview / editing in html mode. |
| 107 | |
| 108 | If an attacker injects an eventhandler into an image, such as "onload='alert(0);'", |
| 109 | then the javascript will execute, even if the data is saved and previewed in editing |
| 110 | mode later on. (The XSS will only executing during preview / editing in html mode.) |
| 111 | |
| 112 | If an administrator tries to edit the comment afterward, or is logged in and browses |
| 113 | to the edit page of the malicious comment, then he or she will execute the javascript, |
| 114 | allowing attacker controlled code to run in the context of the browser. |
| 115 | |
| 116 | |
| 117 | Proof of Concept: |
| 118 | Switching to "raw mode" in CKEditor and then writing: |