lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <cdbf09b595f86a0dd991af427582a473@intern0t.net> Date: Fri, 16 Mar 2012 17:53:01 -0400 From: InterN0T Advisories <advisories@...ern0t.net> To: Greg Knaddison <greg.knaddison@...uia.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: [Security-news] SA-CONTRIB-2012-040 - CKEditor and FCKeditor - multiple XSS, arbitrary code execution Hello Greg, Thank you for your response. After re-reading the advisory a couple of times, and after a few communication attempts from Ustima who seems to have personal issues with me, I realized that I was wrong, and that it wasn't the same bug that I made an advisory for. I am glad however, that you pointed out the difference, and also how your advisories are designed (e.g., without PoC's limiting both attacks but also free knowledge. Of course I could just research this bug discovered by you or your team and release a working exploit), but the confusing part is also the time-frame, as the CKEditor developers has recently fixed the bug I discovered. Thanks again for clarifying the difference, but also responding to this public mailing list. Best regards, MaXe On Thu, 15 Mar 2012 07:57:17 -0600, Greg Knaddison <greg.knaddison@...uia.com> wrote: > Hello MaXe, > > Thanks for the feedback. > > Our security advisories are meant to be a little opaque and do not > include a POC, so I can understand how these two issues could be > confusing: they both include XSS in something named (F)CKEditor. > > However this issue is quite different from the one you identified. > > Your advisory was about Javascript execution in html attributes inside > the Javascript/CKEditor tool itself. This vulnerability is about a > feature of the Drupal module written in PHP which responds to Ajax > requests and sends back text filtered using one of Drupal's Input > Formats. > > Users of Drupal who upgraded (F)CKEditor Javascript previously to > address the issue you identified in that code need to update their > Drupal module as well to fix the issue described in the advisory > SA-CONTRIB-2012-040. > > Regards, > Greg > > > On Wed, Mar 14, 2012 at 2:42 PM, InterN0T Advisories > <advisories@...ern0t.net> wrote: >> FYI, this bug was recently fixed by the CKEditor Developers, as the bug >> itself was in the CKEditor module, not Drupal. (They just use it like >> everyone else.) >> >> Cartoon of the day: http://i.imgur.com/IbRbx.jpg >> >> >> References: >> https://dev.ckeditor.com/ticket/8630#comment:23 >> http://seclists.org/fulldisclosure/2012/Jan/279 >> http://forum.intern0t.org/intern0t-advisories/4102-drupal-ckeditor-3-0-3-6-2-persistent-eventhandler-cross-site-scripting.html >> http://i.imgur.com/IbRbx.jpg >> >> >> Best regards, >> MaXe >> >> PS: Sorry for the previous HTML e-mail. >> >> On Wed, 14 Mar 2012 19:03:36 +0000 (UTC), security-news@...pal.org wrote: >>> * Advisory ID: DRUPAL-SA-CONTRIB-2012-040 >>> * Project: CKEditor [1], FCKeditor [2] - WYSIWYG HTML editor >> (third-party >>> module) >>> * Version: 6.x, 7.x >>> * Date: 2012-March-14 >>> * Security risk: Highly critical [3] >>> * Exploitable from: Remote >>> * Vulnerability: Cross Site Scripting, Cross Site Request Forgery, >>> Arbitrary >>> PHP code execution >>> >>> -------- DESCRIPTION >>> --------------------------------------------------------- >>> >>> CKEditor and its predecessor FCKeditor allow Drupal to replace textarea >>> fields with the (F)CKEditor - a visual HTML WYSIWYG editor. >>> >>> The modules have an AJAX callback that filters text to prevent Cross >> site >>> scripting attacks on content edits. This AJAX callback function contains >> a >>> number of bugs which allow attackers to chose which filter to execute on >>> chosen text or bypass the filter entirely. >>> >>> The vulnerability can be used to conduct Cross site scripting (XSS) >> attacks >>> on privileged users. Attackers can also execute arbitrary PHP code if >> the >>> core PHP module is enabled. This can happen either directly or by >> enticing >>> a >>> privileged user to visit a page. >>> >>> Direct execution of PHP code requires that the attacker has the >> following >>> privileges: >>> >>> "access fckeditor" for FCKeditor 6.x >>> "access ckeditor" for CKEditor 6.x >>> >>> No additional permissions are required to directly exploit the PHP code >>> execution flaw on CKEditor 7.x. >>> >>> -------- VERSIONS AFFECTED >>> --------------------------------------------------- >>> >>> * FCKeditor 6.x-2.x versions prior to 6.x-2.3. >>> * CKEditor 6.x-1.x versions prior to 6.x-1.9. >>> * CKEditor 7.x-1.x versions prior to 7.x-1.7. >>> >>> Drupal core is not affected. If you do not use the contributed CKEditor >> - >>> WYSIWYG HTML editor [4] module, there is nothing you need to do. >>> >>> -------- SOLUTION >>> ------------------------------------------------------------ >>> >>> Install the latest version: >>> >>> * If you use the FCKeditor module for Drupal 6.x, upgrade to >>> FCKeditor >>> 6.x-2.3 [5]. >>> * If you use the CKEditor module for Drupal 6.x, upgrade to CKEditor >>> 6.x-1.9 >>> [6]. >>> * If you use the CKEditor module for Drupal 7.x, upgrade to CKEditor >>> 7.x-1.7 >>> [7]. >>> >>> See also the CKEditor - WYSIWYG HTML editor [8] project page. >>> >>> -------- REPORTED BY >>> --------------------------------------------------------- >>> >>> * Heine Deelstra [9] of the Drupal Security Team >>> >>> -------- FIXED BY >>> ------------------------------------------------------------ >>> >>> * Wiktor Walc [10] the module maintainer >>> >>> -------- CONTACT AND MORE INFORMATION >>> ---------------------------------------- >>> >>> The Drupal security team can be reached at security at drupal.org or via >>> the >>> contact form at http://drupal.org/contact [11]. >>> >>> Learn more about the Drupal Security team and their policies [12], >> writing >>> secure code for Drupal [13], and securing your site [14]. >>> >>> >>> [1] http://drupal.org/project/ckeditor >>> [2] http://drupal.org/project/fckeditor >>> [3] http://drupal.orgteam/risk-levels >>> [4] http://drupal.org/project/ckeditor >>> [5] http://drupal.org/node/1482442 >>> [6] http://drupal.org/node/1482480 >>> [7] http://drupal.org/node/1482466 >>> [8] http://drupal.org/project/ckeditor >>> [9] http://drupal.org/user/17943 >>> [10] http://drupal.org/user/184556 >>> [11] http://drupal.org/contact >>> [12] http://drupal.org/security-team >>> [13] http://drupal.org/writing-secure-code >>> [14] http://drupal.org/security/secure-configuration >>> >>> _______________________________________________ >>> Security-news mailing list >>> Security-news@...pal.org >>> http://lists.drupal.org/mailman/listinfo/security-news >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists