Security Vulnerability CKEditor

[rstolz]

We are using Drupal 7 and our hosting provider has suspended our account and advised us that there is a vulnerability with CKEditor. I have provided the information from our host below:

Here is how the hackers have exploited your account in the first place:

91.211.18.59 - - [22/Dec/2012:19:43:29 -0500] "POST /index.php?q=ckeditor/xss HTTP/1.1" 200 395 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
91.211.18.59 - - [22/Dec/2012:19:45:24 -0500] "POST /index.php?q=ckeditor/xss HTTP/1.1" 200 426 "-" "-"
91.211.18.59 - - [22/Dec/2012:19:45:25 -0500] "GET /wtm3971n.php HTTP/1.1" 200 271 "-" "-"
91.211.18.59 - - [22/Dec/2012:19:52:33 -0500] "POST /wtm3971n.php?cookies=1&showimg=1&truecss=1 HTTP/1.1" 200 308 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

It appears that the CKEditor script you are using is vulnerable and needs to be upgraded. You should upgrade your main web software as well as any other third party script you are using on your account.

[Piotrek Koszuliński]

I'm sorry, but what kind of security vulnerability you're reporting?

[rstolz]

I attached what the host provided, which is the log of how the hacker gained access via CKEditor. Sorry, but I am not a developer, so I don't think there is much more I can provide.

[Wiktor Walc]

1. Which version of CKEditor module you were using? Yes, there was a security issue in CKEditor module for Drupal, but it was fixed soon after being discovered, in March 2012...

[rstolz]

It shows in the modules page of Drupal as 7.x-1.12

[Wiktor Walc]

Hi, is 7.x-1.12 the version that was running when your site was hacked, or is it your current version number of the module after you or your hosting provider updated the module?