Opened 12 years ago

Last modified 12 years ago

#8630 closed Bug

CKEditor should protect "onload" and "onerror" attributes — at Version 4

Reported by: MaXe Legend Owned by:
Priority: Normal Milestone: CKEditor 3.6.3
Component: General Version: 3.0
Keywords: Cc: mustlive@…

Description (last modified by Wiktor Walc)

The following is a security advisory for the Drupal CKEditor. Please note this has also been submitted to the Drupal CKeditor (implementation / plugin) project too.

# Exploit Title: Drupal CKEditor 3.6.2 - Persistent EventHandler XSS # Google Dork: "inurl:"sites/all/modules/ckeditor" -drupalcode.org" # Google Results: Approximately 379.000 results # Date: 9th December 2011 # Author: MaXe @InterN0T # Software Link: http://ckeditor.com/ & http://drupal.org/node/1332022 # Version: 3.6.2 (Drupal module: 6.x-1.8) # Screenshot: If attached, see image file(s). # Tested on: Windows + FireFox 8.0 & Internet Explorer 8.0

Drupal CKEditor - Persistent / Stored Cross-Site Scripting

Versions Affected: 3.6.2 (Possibly all versions that supports eventhandler injection.) Info: CKEditor is a text editor to be used inside web pages. It's a WYSIWYG editor, which means that the text being edited on it looks as similar as possible to the results users have when publishing it. It brings to the web common editing features found on desktop editing applications like Microsoft Word and OpenOffice. External Links: http://ckeditor.com/ http://drupal.org/node/1332022 Credits: MaXe (@InterN0T) -:: The Advisory ::- CKEditor is prone to Persistent Cross-Site Scripting within the actual editor, as it is possible for an attacker could maliciously inject eventhandlers serving java- script code in preview / editing in html mode.

If an attacker injects an eventhandler into an image, such as "onload='alert(0);'", then the javascript will execute, even if the data is saved and previewed in editing mode later on. (The XSS will only executing during preview / editing in html mode.)

If an administrator tries to edit the comment afterward, or is logged in and browses to the edit page of the malicious comment, then he or she will execute the javascript, allowing attacker controlled code to run in the context of the browser.

Proof of Concept: Switching to "raw mode" in CKEditor and then writing: <p><img onload="alert(0);" src="http://1.images.napster.com/mp3s/2348/resources/324/363/files/324363272.jpg" /></p>

Will become this when it is saved: <p><img data-cke-pa-onload="alert(0);" src="http://1.images.napster.com/mp3s/2348/resources/324/363/files/324363272.jpg" data-cke-saved-src="http://1.images.napster.com/mp3s/2348/resources/324/363/files/324363272.jpg"></p>

If one searches for alert(0); in Firebug after the code has been injected and executed, the location of the script will be: $full_url_to_script/event/seq/4/onload Where $full_url_to_script is e.g. the following: http://localhost/drupal/drupal-6.22/?q=comment/edit/3/event/seq/4/onload

The content of this script is: function onload(event) { alert(0); }

As there is a HTML filter in Drupal, it does not matter whether the <img> tag is allowed in this case, as it was possible to execute the eventhandler either way. (And even store the data.)

-:: Solution ::-

  • Awaits developer response *

Note: It shouldn't be possible to use eventhandlers unless explicitly specified by the administrator of the target site. All eventhandler input should also be sanitized / encoded to their equivalent htmlentities and encapsulated in quotes. Disclosure Information: 6th December 2011 - Vulnerability found during a Penetration Test 7th December 2011 - Researched and confirmed the vulnerability 4th January 2012 - Reported to Drupal and CKEditor via http://drupal.org/project/ckeditor and http://dev.ckeditor.com/ and http://cksource.com/contact There has been no public disclosure of this advisory yet. Please respond back to us whenever a solution is available, or if this is deemed a "non-issue".

Reproduced at online demo page at ckeditor.com, changed source content to: <img src="http://farm4.staticflickr.com/3003/3312196469_7d13c53bdd.jpg" onload="alert(0);" /> and previewed in html mode. Internet Explorer 8.0

Drupal CKEditor - Persistent / Stored Cross-Site Scripting

Versions Affected: 3.6.2 (Possibly all versions that supports eventhandler injection.) Info: CKEditor is a text editor to be used inside web pages. It's a WYSIWYG editor, which means that the text being edited on it looks as similar as possible to the results users have when publishing it. It brings to the web common editing features found on desktop editing applications like Microsoft Word and OpenOffice. External Links: http://ckeditor.com/ http://drupal.org/node/1332022 Credits: MaXe (@InterN0T) -:: The Advisory ::- CKEditor is prone to Persistent Cross-Site Scripting within the actual editor, as it is possible for an attacker could maliciously inject eventhandlers serving java- script code in preview / editing in html mode.

If an attacker injects an eventhandler into an image, such as "onload='alert(0);'", then the javascript will execute, even if the data is saved and previewed in editing mode later on. (The XSS will only executing during preview / editing in html mode.)

If an administrator tries to edit the comment afterward, or is logged in and browses to the edit page of the malicious comment, then he or she will execute the javascript, allowing attacker controlled code to run in the context of the browser.

Proof of Concept: Switching to "raw mode" in CKEditor and then writing:

Change History (5)

Changed 12 years ago by MaXe Legend

Attachment: ckeditorxss.png added

Screenshot

comment:1 Changed 12 years ago by Frederico Caldeira Knabben

To make the ticket simple, this is the TC:

  1. Load the following HTML in source view:
<img onload="alert(1)" src="http://www.google.com/images/logo.png" />
  1. Switch to wysiwyg view.

The alert will be executed.

comment:2 Changed 12 years ago by Jakub Ś

Version: 3.6.23.0

Reproducible in all systems from CKEditor 3.0

comment:3 Changed 12 years ago by Wiktor Walc

Another similar case with onerror:

<img onerror="alert(1)" src="a" />

comment:4 Changed 12 years ago by Wiktor Walc

Description: modified (diff)
Summary: CKEditor - EventHandler Cross-Site Scripting (XSS)CKEditor should protect "onload" and "onerror" attributes
Note: See TracTickets for help on using tickets.
© 2003 – 2022, CKSource sp. z o.o. sp.k. All rights reserved. | Terms of use | Privacy policy