Opened 12 years ago

Closed 11 years ago

#1658 closed Bug (invalid)

XSS Injection with img tag

Reported by: fanfarian Owned by:
Priority: Normal Milestone:
Component: General Version: FCKeditor 2.5
Keywords: Pending Cc:

Description

Hi there,

If you use:

<img src="image.jpg" onload="alert('valid cross-site scripting');" />

there is a XSS Injection possible.
Enter this into the source code of an FCK window, just preview the Site and the JS executes.

Browser: Firefox 2.0.0.11 (latest)
OS: WinXP SP2
FCKG: Version 2.5 Build 17352
Using FCK with PHP5

cheers
fanfarian

Change History (3)

comment:1 Changed 12 years ago by Alfonso Martínez de Lizarrondo

Keywords: Pending added; XSS Injection removed

Yes, FCKeditor doesn't filter any of the HTML or the people would complain about that. If you are saving the content sent by any user then you must perform a validation on the server because it would be trivial for an evil user that tries to inject some attack to bypass a simple javascript protection.

comment:2 Changed 12 years ago by Alfonso Martínez de Lizarrondo

I forgot, you don't need any image, you can use directly a script:

<script type="text/javascript">
alert("hello world")
</script>

comment:3 Changed 11 years ago by Alfonso Martínez de Lizarrondo

Resolution: invalid
Status: newclosed

Expired

Note: See TracTickets for help on using tickets.
© 2003 – 2019 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy