lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 22 Jan 2012 20:41:53 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>,
	<bugtraq@...urityfocus.com>
Subject: Re: Drupal CKEditor 3.0 - 3.6.2 - Persistent
	EventHandler XSS

Hello MaXe!

Concerning your advisory about vulnerability in Drupal CKEditor 3.0 - 3.6.2 - Persistent EventHandler XSS (http://securityvulns.com/docs27577.html), then I'll note, that I've wrote already about this vulnerability last year.

As about this Persistent XSS in Drupal - SecurityVulns ID: 11748 (http://securityvulns.com/docs26584.html and http://seclists.org/fulldisclosure/2011/Jun/501), as about similar Reflected XSS in Drupal - SecurityVulns ID: 11750 (http://securityvulns.com/docs26588.html and http://seclists.org/fulldisclosure/2011/Jun/529). These XSS attacks can be done as via FCKeditor/CKEditor, as via TinyMCE and any other rich editors (with preview functionality).

As I've mentioned in publications at my site, these vulnerabilities were found by me at 16.08.2010 (during security audit). After my brief informing about them at 11.12.2010 and detailed informing at 13.04.2011 to Drupal developers, they were ignored and not fixed (so it's no wonder that you've found them). I've announced these vulnerabilities at 12.04.2011 and 13.04.2011, and after giving enough time for developers to fix, they were disclosed at 24.06.2011 and 25.06.2011.

About such XSS vulnerabilities in forms with rich editors I've wrote in April 2011 in my article "Cross-Site Scripting vulnerabilities in forms" (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-October/008056.html).

No claims to you concerning that you've found the same hole, as I've found in 2010. Such things happen (and quite often people found holes, which I've already found and disclosed earlier), and if you've missed these my findings, about which I wrote in my advisories and article, then I reminded you. But, please, draw attention to above-mentioned reflected XSS attack via forms with rich editors in Drupal (which is similar to persistent XSS, but much more forms are affected and the attack is easier to conduct, because the form_token is not required).

Because these vulnerabilities concern Drupal itself, not only CKEditor (such attack can also be conducted via FCKeditor, TinyMCE and any other rich editors, and it's Drupal's filter fault), I've not informed CKEditor developers, but only Drupal developers. So from your side, you've did some job to also draw their attention to this issue (and maybe if Drupal is ignoring, then there will be some moving from other side to fix these issues, but it was better for Drupal developers to fix it).

> 18th January 2012 - Developers of CKEditor has been contacted several times, nothing has happened in two weeks and the advisory has been available to the public via bugtrackers. Vulnerability released to the general public.

Taking into account, that I've disclosed this hole at 24th July 2011, then it was available for the public from that time.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ