[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Drupal CKEditor 3.0 - 3.6.2 - Persistent EventHandler XSS
- To: <submissions@xxxxxxxxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Drupal CKEditor 3.0 - 3.6.2 - Persistent EventHandler XSS
- From: "MustLive" <mustlive@xxxxxxxxxxxxxxxxxx>
- Date: Sun, 22 Jan 2012 20:41:53 +0200
Hello MaXe!
Concerning your advisory about vulnerability in Drupal CKEditor 3.0 - 3.6.2 -
Persistent EventHandler XSS (http://securityvulns.com/docs27577.html), then
I'll note, that I've wrote already about this vulnerability last year.
As about this Persistent XSS in Drupal - SecurityVulns ID: 11748
(http://securityvulns.com/docs26584.html and
http://seclists.org/fulldisclosure/2011/Jun/501), as about similar Reflected
XSS in Drupal - SecurityVulns ID: 11750
(http://securityvulns.com/docs26588.html and
http://seclists.org/fulldisclosure/2011/Jun/529). These XSS attacks can be done
as via FCKeditor/CKEditor, as via TinyMCE and any other rich editors (with
preview functionality).
As I've mentioned in publications at my site, these vulnerabilities were found
by me at 16.08.2010 (during security audit). After my brief informing about
them at 11.12.2010 and detailed informing at 13.04.2011 to Drupal developers,
they were ignored and not fixed (so it's no wonder that you've found them).
I've announced these vulnerabilities at 12.04.2011 and 13.04.2011, and after
giving enough time for developers to fix, they were disclosed at 24.06.2011 and
25.06.2011.
About such XSS vulnerabilities in forms with rich editors I've wrote in April
2011 in my article "Cross-Site Scripting vulnerabilities in forms"
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-October/008056.html).
No claims to you concerning that you've found the same hole, as I've found in
2010. Such things happen (and quite often people found holes, which I've
already found and disclosed earlier), and if you've missed these my findings,
about which I wrote in my advisories and article, then I reminded you. But,
please, draw attention to above-mentioned reflected XSS attack via forms with
rich editors in Drupal (which is similar to persistent XSS, but much more forms
are affected and the attack is easier to conduct, because the form_token is not
required).
Because these vulnerabilities concern Drupal itself, not only CKEditor (such
attack can also be conducted via FCKeditor, TinyMCE and any other rich editors,
and it's Drupal's filter fault), I've not informed CKEditor developers, but
only Drupal developers. So from your side, you've did some job to also draw
their attention to this issue (and maybe if Drupal is ignoring, then there will
be some moving from other side to fix these issues, but it was better for
Drupal developers to fix it).
> 18th January 2012 - Developers of CKEditor has been contacted several times,
> nothing has happened in two weeks and the advisory has been available to the
> public via bugtrackers. Vulnerability released to the general public.
Taking into account, that I've disclosed this hole at 24th July 2011, then it
was available for the public from that time.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/