Wednesday, 15 May 2013

Persistent XSS in wysiwyg module CKEditor below 4.1 - drupal 6.x 7.x

This persistent XSS vulnerability requires a little bit social engineering to work, see the report below:

# Exploit Title: Persistent XSS in wysiwyg module CKEditor <4.1 Drupal 6.x & 7.x
# Date: 15/05/2013
# Exploit Author: r0ng
# Vendor Homepage: http://www.websitesecurityscan.net, http://www.hackers2devnull.blogspot.co.uk
# Software Links: http://ckeditor.com/release/CKEditor-4.0.3, http://drupal.org/download
# Version: CKEditor <4.1, wysiwyg (all versions), Drupal 6.x and 7.x
# Tested on: Firefox 21, IE 10, Chrome (v.26 now blocks it, unsure when this change was implemented)
# Sites affected: approximately 180,000 drupal sites use ckeditor (http://drupal.org/project/usage/ckeditor)

# Configuration:
# -Default installation of Drupal 6.x and 7.x
# -Default input filters (filtered HTML, disable rich text)

[+] Vulnerability:

By posting the following vector into a comment or a content post, a hidden iframe executes unrestricted javascript when viewed in edit mode (document.cookie is accessible). The attack vector is concealed when viewing the post normally and can be exploited by persuading the admin to edit a user's post or by them following a direct link, e.g.: http://website/node/4/edit.

[+] Vector - hidden iframe with URL encoded script tags

<iframe src="data:text/html; charset=utf-8,%3cscript%3ealert(document.cookie);%3c/script%3e" width="1" height="1" frameborder="0"></iframe>

[+] Disclosure and Fix:

This was disclosed to Drupal on 20/01/13, and was fixed with the release of ckeditor 4.1 (21/03/13) (Although at time of writing, backports of fix for previous version to ver 8 are still vulnerable...)

No comments:

Post a Comment