Changes between Initial Version and Version 4 of Ticket #8630


Ignore:
Timestamp:
Jan 5, 2012, 8:30:10 AM (7 years ago)
Author:
Wiktor Walc
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #8630

    • Property Version changed from 3.6.2 to 3.0
    • Property Summary changed from CKEditor - EventHandler Cross-Site Scripting (XSS) to CKEditor should protect "onload" and "onerror" attributes
  • Ticket #8630 – Description

    initial v4  
    8080
    8181
    82 Reproduced at online demo page at ckeditor.com, changed source content to: <img src="http://farm4.staticflickr.com/3003/3312196469_7d13c53bdd.jpg" onload="alert(0);" />  and previewed in html mode.
     82Reproduced at online demo page at ckeditor.com, changed source content to: <img src="http://farm4.staticflickr.com/3003/3312196469_7d13c53bdd.jpg" onload="alert(0);" />  and previewed in html mode. Internet Explorer 8.0
     83
     84 
     85 Drupal CKEditor - Persistent / Stored Cross-Site Scripting
     86 
     87 
     88Versions Affected: 3.6.2 (Possibly all versions that supports eventhandler injection.)
     89 
     90Info:
     91CKEditor is a text editor to be used inside web pages. It's a WYSIWYG editor, which
     92means that the text being edited on it looks as similar as possible to the results users
     93have when publishing it. It brings to the web common editing features found on desktop
     94editing applications like Microsoft Word and OpenOffice.
     95 
     96External Links:
     97http://ckeditor.com/
     98http://drupal.org/node/1332022
     99 
     100Credits: MaXe (@InterN0T)
     101 
     102 
     103-:: The Advisory ::-
     104CKEditor is prone to Persistent Cross-Site Scripting within the actual editor, as
     105it is possible for an attacker could maliciously inject eventhandlers serving java-
     106script code in preview / editing in html mode.
     107
     108If an attacker injects an eventhandler into an image, such as "onload='alert(0);'",
     109then the javascript will execute, even if the data is saved and previewed in editing
     110mode later on. (The XSS will only executing during preview / editing in html mode.)
     111
     112If an administrator tries to edit the comment afterward, or is logged in and browses
     113to the edit page of the malicious comment, then he or she will execute the javascript,
     114allowing attacker controlled code to run in the context of the browser.
     115
     116 
     117Proof of Concept:
     118Switching to "raw mode" in CKEditor and then writing:
© 2003 – 2019 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy