| 82 | | Reproduced at online demo page at ckeditor.com, changed source content to: <img src="http://farm4.staticflickr.com/3003/3312196469_7d13c53bdd.jpg" onload="alert(0);" /> and previewed in html mode. |
| | 82 | Reproduced at online demo page at ckeditor.com, changed source content to: <img src="http://farm4.staticflickr.com/3003/3312196469_7d13c53bdd.jpg" onload="alert(0);" /> and previewed in html mode. Internet Explorer 8.0 |
| | 83 | |
| | 84 | |
| | 85 | Drupal CKEditor - Persistent / Stored Cross-Site Scripting |
| | 86 | |
| | 87 | |
| | 88 | Versions Affected: 3.6.2 (Possibly all versions that supports eventhandler injection.) |
| | 89 | |
| | 90 | Info: |
| | 91 | CKEditor is a text editor to be used inside web pages. It's a WYSIWYG editor, which |
| | 92 | means that the text being edited on it looks as similar as possible to the results users |
| | 93 | have when publishing it. It brings to the web common editing features found on desktop |
| | 94 | editing applications like Microsoft Word and OpenOffice. |
| | 95 | |
| | 96 | External Links: |
| | 97 | http://ckeditor.com/ |
| | 98 | http://drupal.org/node/1332022 |
| | 99 | |
| | 100 | Credits: MaXe (@InterN0T) |
| | 101 | |
| | 102 | |
| | 103 | -:: The Advisory ::- |
| | 104 | CKEditor is prone to Persistent Cross-Site Scripting within the actual editor, as |
| | 105 | it is possible for an attacker could maliciously inject eventhandlers serving java- |
| | 106 | script code in preview / editing in html mode. |
| | 107 | |
| | 108 | If an attacker injects an eventhandler into an image, such as "onload='alert(0);'", |
| | 109 | then the javascript will execute, even if the data is saved and previewed in editing |
| | 110 | mode later on. (The XSS will only executing during preview / editing in html mode.) |
| | 111 | |
| | 112 | If an administrator tries to edit the comment afterward, or is logged in and browses |
| | 113 | to the edit page of the malicious comment, then he or she will execute the javascript, |
| | 114 | allowing attacker controlled code to run in the context of the browser. |
| | 115 | |
| | 116 | |
| | 117 | Proof of Concept: |
| | 118 | Switching to "raw mode" in CKEditor and then writing: |
