Opened 7 years ago

Last modified 6 years ago

#9637 confirmed Bug

Scripts can be executed from ckeditor using preview plugin

Reported by: Rajasimhan Owned by:
Priority: Normal Milestone:
Component: General Version: 3.6.2
Keywords: Oracle Cc: senthil.kumaran@…, pramod.agrawal@…

Description

Copy pasting a HTML snippet from a browser window containing scripts opens channel for the execution of the script from ckeditor using the preview plugin.

Replication steps:

  1. Create a test html page with the following content

<html> <head></head> <body>

<a href="javascript:alert('Executing

Javascript:alert()')">test</a>

<script>alert('Script Tag') </script>

</body> </html>

  1. Save the html and open it using a browser.
  2. Copy the content of the rendered html ( i.e the hyperlinked word “test”) and paste it in RTE.
  3. Click the preview plugin in RTE.
  4. In the preview window that opens, if the hyperlink ‘test’ is clicked it will execute the script.

This posses a security threat as it opens a channel for executing malicious script can be executed from ckeditor. Writing a server code to filter the scripts will not help as it might corrupt the data. Another problem is that server code will trigger only when data is posted but in this case scripts can be executed using preview pluign even before posting data.

Attachments (1)

Test.html (170 bytes) - added by Rajasimhan 7 years ago.
Test file.

Download all attachments as: .zip

Change History (9)

Changed 7 years ago by Rajasimhan

Attachment: Test.html added

Test file.

comment:1 Changed 7 years ago by Jakub Ś

  1. As it has been many times explained in #8948 this is not security issue.
  2. Possible solutions were provided in - http://dev.ckeditor.com/ticket/8948#comment:9
  3. "Writing a server code to filter the scripts will not help as it might corrupt the data."
    I'm sorry but this is no argument. That is the whole point - to corrupt malicious data. It only depends on programmer whether he/she will write good code that will not corrupt non-malicious data
Last edited 7 years ago by Jakub Ś (previous) (diff)

comment:2 Changed 7 years ago by Jakub Ś

I believe that this ticket is continuation of http://dev.ckeditor.com/ticket/8948#comment:12 thus confirming it.

Please note that this is not a bug but your specific request (which could and should be handled by server-side code)

Last edited 7 years ago by Jakub Ś (previous) (diff)

comment:3 Changed 7 years ago by Jakub Ś

Status: newconfirmed

comment:4 Changed 7 years ago by Rajasimhan

Hi

Server side fix will not work because even before posting the data script can be executed by using the preview plugin. This provides a platform for executing malicious scripts from within the Peoplesoft product. So it has to be handled at the client side only.

Last edited 7 years ago by Rajasimhan (previous) (diff)

comment:5 Changed 6 years ago by Jakub Ś

Cases that Oracle guys want to have featured as well as explanations are mentioned in:

  1. #8948 - main description.
  2. http://dev.ckeditor.com/ticket/8948#comment:8
  3. http://dev.ckeditor.com/ticket/8948#comment:10 - Explanation

comment:6 Changed 6 years ago by Jakub Ś

Reading #8948 once more and knowing that Oracle guys have server-side tags stripping enabled, has led me to one conclusion.

The only way to perform XSS is: Victim-user is authorized and makes some changes in editor; he then takes some XSS script (not previously checked) pastes it into editor and then presses preview button to see what happens.

This is only entry point for attacker to perform XSS attack. He has to send script to victim and victim has to be naive enough to execute it. IMO this is very rare case.

@Rajasimhan since you have server-side tags stripping enabled why not use the same rules when you press preview button. This is something that should work for your case.

comment:7 Changed 6 years ago by Rajasimhan

Hi

We are currently not performing stripping of scripts at the server side. We are in the process of deciding how best to do it.

Thanks Raj

comment:8 Changed 6 years ago by Frederico Caldeira Knabben

The range of XSS attack patterns are way too big big to have it covered by CKEditor in the client side, just because of the preview plugin. If any solution is to be considered, a server side generated preview must be taken in consideration. In this way, the very same server cleanup can be applied to both the final posted data and the preview page.

Note: See TracTickets for help on using tickets.
© 2003 – 2019 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy