Re: [Full-disclosure] [Security-news] SA-CONTRIB-2012-040 - CKEditor and FCKeditor - multiple XSS, arbitrary code execution



<pre>FYI, this bug was recently fixed by the CKEditor Developers, as the
bug itself was in the CKEditor module, not Drupal. (They just use it like
everyone else.)<br /><br /><img src="http://i.imgur.com/IbRbx.jpg"; alt=""
width="749" height="780" /><br /><br />References:<br
/>https://dev.ckeditor.com/ticket/8630#comment:23<br
/>http://seclists.org/fulldisclosure/2012/Jan/279<br
/>http://forum.intern0t.org/intern0t-advisories/4102-drupal-ckeditor-3-0-3-6-2-persistent-eventhandler-cross-site-scripting.html<br
/>http://i.imgur.com/IbRbx.jpg<br /><br /><br /><br />Best regards,<br
/>MaXe<br />
On Wed, 14 Mar 2012 19:03:36 +0000 (UTC), security-news@xxxxxxxxxx wrote:
&gt; * Advisory ID: DRUPAL-SA-CONTRIB-2012-040
&gt; * Project: CKEditor [1], FCKeditor [2] - WYSIWYG HTML editor
(third-party
&gt; module)
&gt; * Version: 6.x, 7.x
&gt; * Date: 2012-March-14
&gt; * Security risk: Highly critical [3]
&gt; * Exploitable from: Remote
&gt; * Vulnerability: Cross Site Scripting, Cross Site Request Forgery,
&gt; Arbitrary
&gt; PHP code execution
&gt;
&gt; -------- DESCRIPTION
&gt; ---------------------------------------------------------
&gt;
&gt; CKEditor and its predecessor FCKeditor allow Drupal to replace
textarea
&gt; fields with the (F)CKEditor - a visual HTML WYSIWYG editor.
&gt;
&gt; The modules have an AJAX callback that filters text to prevent Cross
site
&gt; scripting attacks on content edits. This AJAX callback function
contains a
&gt; number of bugs which allow attackers to chose which filter to execute
on
&gt; chosen text or bypass the filter entirely.
&gt;
&gt; The vulnerability can be used to conduct Cross site scripting (XSS)
attacks
&gt; on privileged users. Attackers can also execute arbitrary PHP code if
the
&gt; core PHP module is enabled. This can happen either directly or by
enticing
&gt; a
&gt; privileged user to visit a page.
&gt;
&gt; Direct execution of PHP code requires that the attacker has the
following
&gt; privileges:
&gt;
&gt; "access fckeditor" for FCKeditor 6.x
&gt; "access ckeditor" for CKEditor 6.x
&gt;
&gt; No additional permissions are required to directly exploit the PHP
code
&gt; execution flaw on CKEditor 7.x.
&gt;
&gt; -------- VERSIONS AFFECTED
&gt; ---------------------------------------------------
&gt;
&gt; * FCKeditor 6.x-2.x versions prior to 6.x-2.3.
&gt; * CKEditor 6.x-1.x versions prior to 6.x-1.9.
&gt; * CKEditor 7.x-1.x versions prior to 7.x-1.7.
&gt;
&gt; Drupal core is not affected. If you do not use the contributed
CKEditor -
&gt; WYSIWYG HTML editor [4] module, there is nothing you need to do.
&gt;
&gt; -------- SOLUTION
&gt; ------------------------------------------------------------
&gt;
&gt; Install the latest version:
&gt;
&gt; * If you use the FCKeditor module for Drupal 6.x, upgrade to
FCKeditor
&gt; 6.x-2.3 [5].
&gt; * If you use the CKEditor module for Drupal 6.x, upgrade to
CKEditor
&gt; 6.x-1.9
&gt; [6].
&gt; * If you use the CKEditor module for Drupal 7.x, upgrade to
CKEditor
&gt; 7.x-1.7
&gt; [7].
&gt;
&gt; See also the CKEditor - WYSIWYG HTML editor [8] project page.
&gt;
&gt; -------- REPORTED BY
&gt; ---------------------------------------------------------
&gt;
&gt; * Heine Deelstra [9] of the Drupal Security Team
&gt;
&gt; -------- FIXED BY
&gt; ------------------------------------------------------------
&gt;
&gt; * Wiktor Walc [10] the module maintainer
&gt;
&gt; -------- CONTACT AND MORE INFORMATION
&gt; ----------------------------------------
&gt;
&gt; The Drupal security team can be reached at security at drupal.org or
via
&gt; the
&gt; contact form at http://drupal.org/contact [11].
&gt;
&gt; Learn more about the Drupal Security team and their policies [12],
writing
&gt; secure code for Drupal [13], and securing your site [14].
&gt;
&gt;
&gt; [1] http://drupal.org/project/ckeditor
&gt; [2] http://drupal.org/project/fckeditor
&gt; [3] http://drupal.org/security-team/risk-levels
&gt; [4] http://drupal.org/project/ckeditor
&gt; [5] http://drupal.org/node/1482442
&gt; [6] http://drupal.org/node/1482480
&gt; [7] http://drupal.org/node/1482466
&gt; [8] http://drupal.org/project/ckeditor
&gt; [9] http://drupal.org/user/17943
&gt; [10] http://drupal.org/user/184556
&gt; [11] http://drupal.org/contact
&gt; [12] http://drupal.org/security-team
&gt; [13] http://drupal.org/writing-secure-code
&gt; [14] http://drupal.org/security/secure-configuration
&gt;
&gt; _______________________________________________
&gt; Security-news mailing list
&gt; Security-news@xxxxxxxxxx
&gt; http://lists.drupal.org/mailman/listinfo/security-news
&gt;
&gt; _______________________________________________
&gt; Full-Disclosure - We believe in it.
&gt; Charter: http://lists.grok.org.uk/full-disclosure-charter.html
&gt; Hosted and sponsored by Secunia - http://secunia.com/</pre>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/