Re: Drupal CKEditor 3.0 - 3.6.2 - Persistent EventHandler XSS

["MustLive" <mustlive () websecurity com ua>]

Hello MaXe!

Concerning your advisory about vulnerability in Drupal CKEditor 3.0 - 3.6.2 - Persistent EventHandler XSS 
(http://securityvulns.com/docs27577.html), then I'll note, that I've wrote already about this vulnerability last year.

As about this Persistent XSS in Drupal - SecurityVulns ID: 11748 (http://securityvulns.com/docs26584.html and 
http://seclists.org/fulldisclosure/2011/Jun/501), as about similar Reflected XSS in Drupal - SecurityVulns ID: 11750 
(http://securityvulns.com/docs26588.html and http://seclists.org/fulldisclosure/2011/Jun/529). These XSS attacks can be 
done as via FCKeditor/CKEditor, as via TinyMCE and any other rich editors (with preview functionality).

As I've mentioned in publications at my site, these vulnerabilities were found by me at 16.08.2010 (during security 
audit). After my brief informing about them at 11.12.2010 and detailed informing at 13.04.2011 to Drupal developers, 
they were ignored and not fixed (so it's no wonder that you've found them). I've announced these vulnerabilities at 
12.04.2011 and 13.04.2011, and after giving enough time for developers to fix, they were disclosed at 24.06.2011 and 
25.06.2011.

About such XSS vulnerabilities in forms with rich editors I've wrote in April 2011 in my article "Cross-Site Scripting 
vulnerabilities in forms" 
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-October/008056.html).

No claims to you concerning that you've found the same hole, as I've found in 2010. Such things happen (and quite often 
people found holes, which I've already found and disclosed earlier), and if you've missed these my findings, about 
which I wrote in my advisories and article, then I reminded you. But, please, draw attention to above-mentioned 
reflected XSS attack via forms with rich editors in Drupal (which is similar to persistent XSS, but much more forms are 
affected and the attack is easier to conduct, because the form_token is not required).

Because these vulnerabilities concern Drupal itself, not only CKEditor (such attack can also be conducted via 
FCKeditor, TinyMCE and any other rich editors, and it's Drupal's filter fault), I've not informed CKEditor developers, 
but only Drupal developers. So from your side, you've did some job to also draw their attention to this issue (and 
maybe if Drupal is ignoring, then there will be some moving from other side to fix these issues, but it was better for 
Drupal developers to fix it).

> 18th January 2012 - Developers of CKEditor has been contacted several times, nothing has happened in two weeks and 
> the advisory has been available to the public via bugtrackers. Vulnerability released to the general public.

Taking into account, that I've disclosed this hole at 24th July 2011, then it was available for the public from that 
time.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/