Opened 11 years ago
Last modified 11 years ago
#9637 confirmed Bug
Scripts can be executed from ckeditor using preview plugin
| Reported by: | Rajasimhan | Owned by: | |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | General | Version: | 3.6.2 |
| Keywords: | Oracle | Cc: | senthil.kumaran@…, pramod.agrawal@… |
Description
Copy pasting a HTML snippet from a browser window containing scripts opens channel for the execution of the script from ckeditor using the preview plugin.
Replication steps:
- Create a test html page with the following content
<html> <head></head> <body>
<a href="javascript:alert('Executing
Javascript:alert()')">test</a>
<script>alert('Script Tag') </script>
</body> </html>
- Save the html and open it using a browser.
- Copy the content of the rendered html ( i.e the hyperlinked word “test”) and paste it in RTE.
- Click the preview plugin in RTE.
- In the preview window that opens, if the hyperlink ‘test’ is clicked it will execute the script.
This posses a security threat as it opens a channel for executing malicious script can be executed from ckeditor. Writing a server code to filter the scripts will not help as it might corrupt the data. Another problem is that server code will trigger only when data is posted but in this case scripts can be executed using preview pluign even before posting data.
Attachments (1)
Change History (9)
Changed 11 years ago by
comment:1 Changed 11 years ago by
- As it has been many times explained in #8948 this is not security issue.
- Possible solutions were provided in - http://dev.ckeditor.com/ticket/8948#comment:9
- Writing a server code to filter the scripts will not help as it might corrupt the data.
I'm sorry but this is no argument. That is the whole point - to corrupt malicious data. It only depends on programmer whether he/she will write good code that will not corrupt non-malicious data
comment:2 Changed 11 years ago by
I believe that this ticket is continuation of http://dev.ckeditor.com/ticket/8948#comment:12 thus confirming it.
Please note that this is not a bug but your specific request (which could and should be handled by server-side code)
comment:3 Changed 11 years ago by
| Status: | new → confirmed |
|---|
comment:4 Changed 11 years ago by
Hi
Server side fix will not work because even before posting the data script can be executed by using the preview plugin. This provides a platform for executing malicious scripts from within the Peoplesoft product. So it has to be handled at the client side only.
comment:5 Changed 11 years ago by
Cases that Oracle guys want to have featured as well as explanations are mentioned in:
- #8948 - main description.
- http://dev.ckeditor.com/ticket/8948#comment:8
- http://dev.ckeditor.com/ticket/8948#comment:10 - Explanation
comment:6 Changed 11 years ago by
Reading #8948 once more and knowing that Oracle guys have server-side tags stripping enabled, has led me to one conclusion.
The only way to perform XSS is: Victim-user is authorized and makes some changes in editor; he then takes some XSS script (not previously checked) pastes it into editor and then presses preview button to see what happens.
This is only entry point for attacker to perform XSS attack. He has to send script to victim and victim has to be naive enough to execute it. IMO this is very rare case.
@Rajasimhan since you have server-side tags stripping enabled why not use the same rules when you press preview button. This is something that should work for your case.
comment:7 Changed 11 years ago by
Hi
We are currently not performing stripping of scripts at the server side. We are in the process of deciding how best to do it.
Thanks Raj
comment:8 Changed 11 years ago by
The range of XSS attack patterns are way too big big to have it covered by CKEditor in the client side, just because of the preview plugin. If any solution is to be considered, a server side generated preview must be taken in consideration. In this way, the very same server cleanup can be applied to both the final posted data and the preview page.
Test file.