Re: [Full-disclosure] [Security-news] SA-CONTRIB-2012-040 - CKEditor and FCKeditor - multiple XSS, arbitrary code execution

<pre>FYI, this bug was recently fixed by the CKEditor Developers, as the
bug itself was in the CKEditor module, not Drupal. (They just use it like
everyone else.)<br /><br /><img src=""; alt=""
width="749" height="780" /><br /><br />References:<br
/><br /><br /><br /><br />Best regards,<br
/>MaXe<br />
On Wed, 14 Mar 2012 19:03:36 +0000 (UTC), security-news@xxxxxxxxxx wrote:
&gt; * Advisory ID: DRUPAL-SA-CONTRIB-2012-040
&gt; * Project: CKEditor [1], FCKeditor [2] - WYSIWYG HTML editor
&gt; module)
&gt; * Version: 6.x, 7.x
&gt; * Date: 2012-March-14
&gt; * Security risk: Highly critical [3]
&gt; * Exploitable from: Remote
&gt; * Vulnerability: Cross Site Scripting, Cross Site Request Forgery,
&gt; Arbitrary
&gt; PHP code execution
&gt; -------- DESCRIPTION
&gt; ---------------------------------------------------------
&gt; CKEditor and its predecessor FCKeditor allow Drupal to replace
&gt; fields with the (F)CKEditor - a visual HTML WYSIWYG editor.
&gt; The modules have an AJAX callback that filters text to prevent Cross
&gt; scripting attacks on content edits. This AJAX callback function
contains a
&gt; number of bugs which allow attackers to chose which filter to execute
&gt; chosen text or bypass the filter entirely.
&gt; The vulnerability can be used to conduct Cross site scripting (XSS)
&gt; on privileged users. Attackers can also execute arbitrary PHP code if
&gt; core PHP module is enabled. This can happen either directly or by
&gt; a
&gt; privileged user to visit a page.
&gt; Direct execution of PHP code requires that the attacker has the
&gt; privileges:
&gt; "access fckeditor" for FCKeditor 6.x
&gt; "access ckeditor" for CKEditor 6.x
&gt; No additional permissions are required to directly exploit the PHP
&gt; execution flaw on CKEditor 7.x.
&gt; ---------------------------------------------------
&gt; * FCKeditor 6.x-2.x versions prior to 6.x-2.3.
&gt; * CKEditor 6.x-1.x versions prior to 6.x-1.9.
&gt; * CKEditor 7.x-1.x versions prior to 7.x-1.7.
&gt; Drupal core is not affected. If you do not use the contributed
CKEditor -
&gt; WYSIWYG HTML editor [4] module, there is nothing you need to do.
&gt; -------- SOLUTION
&gt; ------------------------------------------------------------
&gt; Install the latest version:
&gt; * If you use the FCKeditor module for Drupal 6.x, upgrade to
&gt; 6.x-2.3 [5].
&gt; * If you use the CKEditor module for Drupal 6.x, upgrade to
&gt; 6.x-1.9
&gt; [6].
&gt; * If you use the CKEditor module for Drupal 7.x, upgrade to
&gt; 7.x-1.7
&gt; [7].
&gt; See also the CKEditor - WYSIWYG HTML editor [8] project page.
&gt; -------- REPORTED BY
&gt; ---------------------------------------------------------
&gt; * Heine Deelstra [9] of the Drupal Security Team
&gt; -------- FIXED BY
&gt; ------------------------------------------------------------
&gt; * Wiktor Walc [10] the module maintainer
&gt; ----------------------------------------
&gt; The Drupal security team can be reached at security at or
&gt; the
&gt; contact form at [11].
&gt; Learn more about the Drupal Security team and their policies [12],
&gt; secure code for Drupal [13], and securing your site [14].
&gt; [1]
&gt; [2]
&gt; [3]
&gt; [4]
&gt; [5]
&gt; [6]
&gt; [7]
&gt; [8]
&gt; [9]
&gt; [10]
&gt; [11]
&gt; [12]
&gt; [13]
&gt; [14]
&gt; _______________________________________________
&gt; Security-news mailing list
&gt; Security-news@xxxxxxxxxx
&gt; _______________________________________________
&gt; Full-Disclosure - We believe in it.
&gt; Charter:
&gt; Hosted and sponsored by Secunia -</pre>

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -