Re: [Full-disclosure] Drupal CKEditor 3.0 - 3.6.2 - Persistent EventHandler XSS



Hello MaXe!

Concerning your advisory about vulnerability in Drupal CKEditor 3.0 - 3.6.2 - Persistent EventHandler XSS (http://securityvulns.com/docs27577.html), then I'll note, that I've wrote already about this vulnerability last year.

As about this Persistent XSS in Drupal - SecurityVulns ID: 11748 (http://securityvulns.com/docs26584.html and http://seclists.org/fulldisclosure/2011/Jun/501), as about similar Reflected XSS in Drupal - SecurityVulns ID: 11750 (http://securityvulns.com/docs26588.html and http://seclists.org/fulldisclosure/2011/Jun/529). These XSS attacks can be done as via FCKeditor/CKEditor, as via TinyMCE and any other rich editors (with preview functionality).

As I've mentioned in publications at my site, these vulnerabilities were found by me at 16.08.2010 (during security audit). After my brief informing about them at 11.12.2010 and detailed informing at 13.04.2011 to Drupal developers, they were ignored and not fixed (so it's no wonder that you've found them). I've announced these vulnerabilities at 12.04.2011 and 13.04.2011, and after giving enough time for developers to fix, they were disclosed at 24.06.2011 and 25.06.2011.

About such XSS vulnerabilities in forms with rich editors I've wrote in April 2011 in my article "Cross-Site Scripting vulnerabilities in forms" (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-October/008056.html).

No claims to you concerning that you've found the same hole, as I've found in 2010. Such things happen (and quite often people found holes, which I've already found and disclosed earlier), and if you've missed these my findings, about which I wrote in my advisories and article, then I reminded you. But, please, draw attention to above-mentioned reflected XSS attack via forms with rich editors in Drupal (which is similar to persistent XSS, but much more forms are affected and the attack is easier to conduct, because the form_token is not required).

Because these vulnerabilities concern Drupal itself, not only CKEditor (such attack can also be conducted via FCKeditor, TinyMCE and any other rich editors, and it's Drupal's filter fault), I've not informed CKEditor developers, but only Drupal developers. So from your side, you've did some job to also draw their attention to this issue (and maybe if Drupal is ignoring, then there will be some moving from other side to fix these issues, but it was better for Drupal developers to fix it).

18th January 2012 - Developers of CKEditor has been contacted several times, nothing has happened in two weeks and the advisory has been available to the public via bugtrackers. Vulnerability released to the general public.

Taking into account, that I've disclosed this hole at 24th July 2011, then it was available for the public from that time.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages