[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FCKedtior 2.6.10 Reflected Cross-Site Scripting (XSS)

To: "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: FCKedtior 2.6.10 Reflected Cross-Site Scripting (XSS)
From: Robin Bailey <Robin.Bailey@xxxxxxxxxxx>
Date: Mon, 2 Jun 2014 13:26:21 +0000

Class Cross-Site Scripting
Remote Yes
Published 2nd June 2014
Credit Robin Bailey of Dionach (vulns@xxxxxxxxxxx)
Vulnerable FCKeditor <= 2.6.10

FCKeditor is prone to a reflected cross-site scripting (XSS) vulnerability due
to inadequately sanitised user input. An attacker may leverage this issue to
run JavaScript in the context of a victim's browser.

FCKeditor 2.6.10 is known to be vulnerable; older versions may also be
vulnerable.

Note that this issue is related to CVE-2012-4000, which was a cross-site
scripting vulnerability in the values of the textinputs[] array passed to the
spellchecker.php page. To resolve this issue the values of this array were
encoded with htmlspecialchars() before being output to the page; however the
array keys were still echoed unencoded.

PoC:

POST
http://[target]/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php
textinputs[1</script><script>alert(document.cookie);//</script>]=zz

The vendor was notified of this issue, and FCKeditor 2.6.11 was released to
address this vulnerability. See the following vendor announcement:

http://ckeditor.com/blog/FCKeditor-2.6.11-Released

Timeline:

28/05/2014 Vulnerability identified
28/05/2014 Initial vendor contact
28/05/2014 Vendor response to contact
28/05/2014 Vulnerability disclosed to vendor
29/05/2014 Vendor confirms vulnerability
02/06/2014 Vendor releases patch
02/06/2014 Public disclosure of vulnerability

______________________________________________________________________

Disclaimer: This e-mail and any attachments are confidential.

It may contain privileged information and is intended for the named
addressee(s) only. It must not be distributed without Dionach Ltd consent.
If you are not the intended recipient, please notify the sender immediately and
destroy this e-mail.

Any unauthorised copying, disclosure or distribution of the material in this
e-mail is strictly forbidden. Unless expressly stated, opinions in this e-mail
are those of the individual sender, and not of Dionach Ltd.

Dionach Ltd, Greenford House, London Road, Wheatley, Oxford OX33 1JH Company
Registration No. 03908168, VAT No. GB750661242

______________________________________________________________________

Prev by Date: VUPEN Security Research - Adobe Acrobat & Reader XI-X "AcroBroker" Sandbox Bypass (Pwn2Own)
Next by Date: CVE-2014-1226 s3dvt Root shell (still)
Previous by thread: VUPEN Security Research - Adobe Acrobat & Reader XI-X "AcroBroker" Sandbox Bypass (Pwn2Own)
Next by thread: CVE-2014-1226 s3dvt Root shell (still)
Index(es):
- Date
- Thread