Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

FCKedtior 2.6.10 Reflected Cross-Site Scripting (XSS)

From: Robin Bailey <Robin.Bailey () dionach com>
Date: Mon, 2 Jun 2014 13:26:21 +0000
Class           Cross-Site Scripting
Remote  Yes
Published       2nd June 2014
Credit          Robin Bailey of Dionach (vulns () dionach com)
Vulnerable      FCKeditor <= 2.6.10

FCKeditor is prone to a reflected cross-site scripting (XSS) vulnerability due to inadequately sanitised user input. An 
attacker may leverage this issue to run JavaScript in the context of a victim's browser.

FCKeditor 2.6.10 is known to be vulnerable; older versions may also be vulnerable. 

Note that this issue is related to CVE-2012-4000, which was a cross-site scripting vulnerability in the values of the 
textinputs[] array passed to the spellchecker.php page. To resolve this issue the values of this array were encoded 
with htmlspecialchars() before being output to the page; however the array keys were still echoed unencoded.

PoC:

POST http://[target]/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php
textinputs[1</script><script>alert(document.cookie);//</script>]=zz

The vendor was notified of this issue, and FCKeditor 2.6.11 was released to address this vulnerability. See the 
following vendor announcement:

http://ckeditor.com/blog/FCKeditor-2.6.11-Released

Timeline:

28/05/2014      Vulnerability identified
28/05/2014      Initial vendor contact
28/05/2014      Vendor response to contact
28/05/2014      Vulnerability disclosed to vendor
29/05/2014      Vendor confirms vulnerability
02/06/2014      Vendor releases patch
02/06/2014      Public disclosure of vulnerability

______________________________________________________________________

Disclaimer: This e-mail and any attachments are confidential.

It may contain privileged information and is intended for the named
addressee(s) only. It must not be distributed without Dionach Ltd consent.
If you are not the intended recipient, please notify the sender immediately and destroy this e-mail. 

Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Unless 
expressly stated, opinions in this e-mail are those of the individual sender, and not of Dionach Ltd.

Dionach Ltd, Greenford House, London Road, Wheatley, Oxford OX33 1JH Company Registration No. 03908168, VAT No. 
GB750661242

______________________________________________________________________
Previous By Date Next
Previous By Thread Next

Current thread: