Opened 7 years ago

Closed 6 years ago

#9941 closed Bug (expired)

Security Vulnerability CKEditor

Reported by: rstolz Owned by:
Priority: Normal Milestone:
Component: General Version:
Keywords: Cc:

Description (last modified by Piotrek Koszuliński)

We are using Drupal 7 and our hosting provider has suspended our account and advised us that there is a vulnerability with CKEditor. I have provided the information from our host below:

Here is how the hackers have exploited your account in the first place:

91.211.18.59 - - [22/Dec/2012:19:43:29 -0500] "POST /index.php?q=ckeditor/xss HTTP/1.1" 200 395 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
91.211.18.59 - - [22/Dec/2012:19:45:24 -0500] "POST /index.php?q=ckeditor/xss HTTP/1.1" 200 426 "-" "-"
91.211.18.59 - - [22/Dec/2012:19:45:25 -0500] "GET /wtm3971n.php HTTP/1.1" 200 271 "-" "-"
91.211.18.59 - - [22/Dec/2012:19:52:33 -0500] "POST /wtm3971n.php?cookies=1&showimg=1&truecss=1 HTTP/1.1" 200 308 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

It appears that the CKEditor script you are using is vulnerable and needs to be upgraded. You should upgrade your main web software as well as any other third party script you are using on your account.

Change History (8)

comment:1 Changed 7 years ago by Piotrek Koszuliński

Description: modified (diff)

comment:2 Changed 7 years ago by Piotrek Koszuliński

Description: modified (diff)

comment:3 Changed 7 years ago by Piotrek Koszuliński

Status: newpending

I'm sorry, but what kind of security vulnerability you're reporting?

comment:4 Changed 7 years ago by rstolz

I attached what the host provided, which is the log of how the hacker gained access via CKEditor. Sorry, but I am not a developer, so I don't think there is much more I can provide.

comment:5 Changed 7 years ago by Wiktor Walc

  1. Which version of CKEditor module you were using? Yes, there was a security issue in CKEditor module for Drupal, but it was fixed soon after being discovered, in March 2012...

comment:6 Changed 7 years ago by rstolz

It shows in the modules page of Drupal as 7.x-1.12

comment:7 Changed 7 years ago by Wiktor Walc

Hi, is 7.x-1.12 the version that was running when your site was hacked, or is it your current version number of the module after you or your hosting provider updated the module?

comment:8 Changed 6 years ago by Piotrek Koszuliński

Resolution: expired
Status: pendingclosed
Note: See TracTickets for help on using tickets.
© 2003 – 2019 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy