lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <cdbf09b595f86a0dd991af427582a473@intern0t.net>
Date: Fri, 16 Mar 2012 17:53:01 -0400
From: InterN0T Advisories <advisories@...ern0t.net>
To: Greg Knaddison <greg.knaddison@...uia.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Security-news] SA-CONTRIB-2012-040 -
 CKEditor and FCKeditor - multiple XSS, arbitrary code execution

Hello Greg,


Thank you for your response.

After re-reading the advisory a couple of times, and after a few
communication attempts from Ustima who seems to have personal issues with
me, I realized that I was wrong, and that it wasn't the same bug that I
made an advisory for.

I am glad however, that you pointed out the difference, and also how your
advisories are designed (e.g., without PoC's limiting both attacks but also
free knowledge. Of course I could just research this bug discovered by you
or your team and release a working exploit), but the confusing part is also
the time-frame, as the CKEditor developers has recently fixed the bug I
discovered.

Thanks again for clarifying the difference, but also responding to this
public mailing list.



Best regards,
MaXe


On Thu, 15 Mar 2012 07:57:17 -0600, Greg Knaddison
<greg.knaddison@...uia.com> wrote:
> Hello MaXe,
> 
> Thanks for the feedback.
> 
> Our security advisories are meant to be a little opaque and do not
> include a POC, so I can understand how these two issues could be
> confusing: they both include XSS in something named (F)CKEditor.
> 
> However this issue is quite different from the one you identified.
> 
> Your advisory was about Javascript execution in html attributes inside
> the Javascript/CKEditor tool itself. This vulnerability is about a
> feature of the Drupal module written in PHP which responds to Ajax
> requests and sends back text filtered using one of Drupal's Input
> Formats.
> 
> Users of Drupal who upgraded (F)CKEditor Javascript previously to
> address the issue you identified in that code need to update their
> Drupal module as well to fix the issue described in the advisory
> SA-CONTRIB-2012-040.
> 
> Regards,
> Greg
> 
> 
> On Wed, Mar 14, 2012 at 2:42 PM, InterN0T Advisories
> <advisories@...ern0t.net> wrote:
>> FYI, this bug was recently fixed by the CKEditor Developers, as the bug
>> itself was in the CKEditor module, not Drupal. (They just use it like
>> everyone else.)
>>
>> Cartoon of the day: http://i.imgur.com/IbRbx.jpg
>>
>>
>> References:
>> https://dev.ckeditor.com/ticket/8630#comment:23
>> http://seclists.org/fulldisclosure/2012/Jan/279
>>
http://forum.intern0t.org/intern0t-advisories/4102-drupal-ckeditor-3-0-3-6-2-persistent-eventhandler-cross-site-scripting.html
>> http://i.imgur.com/IbRbx.jpg
>>
>>
>> Best regards,
>> MaXe
>>
>> PS: Sorry for the previous HTML e-mail.
>>
>> On Wed, 14 Mar 2012 19:03:36 +0000 (UTC), security-news@...pal.org
wrote:
>>> * Advisory ID: DRUPAL-SA-CONTRIB-2012-040
>>>   * Project: CKEditor [1], FCKeditor [2] - WYSIWYG HTML editor
>> (third-party
>>>     module)
>>>   * Version: 6.x, 7.x
>>>   * Date: 2012-March-14
>>>   * Security risk: Highly critical [3]
>>>   * Exploitable from: Remote
>>>   * Vulnerability: Cross Site Scripting, Cross Site Request Forgery,
>>>   Arbitrary
>>>     PHP code execution
>>>
>>> -------- DESCRIPTION
>>> ---------------------------------------------------------
>>>
>>> CKEditor and its predecessor FCKeditor allow Drupal to replace
textarea
>>> fields with the (F)CKEditor - a visual HTML WYSIWYG editor.
>>>
>>> The modules have an AJAX callback that filters text to prevent Cross
>> site
>>> scripting attacks on content edits. This AJAX callback function
contains
>> a
>>> number of bugs which allow attackers to chose which filter to execute
on
>>> chosen text or bypass the filter entirely.
>>>
>>> The vulnerability can be used to conduct Cross site scripting (XSS)
>> attacks
>>> on privileged users. Attackers can also execute arbitrary PHP code if
>> the
>>> core PHP module is enabled. This can happen either directly or by
>> enticing
>>> a
>>> privileged user to visit a page.
>>>
>>> Direct execution of PHP code requires that the attacker has the
>> following
>>> privileges:
>>>
>>> "access fckeditor" for FCKeditor 6.x
>>> "access ckeditor" for CKEditor 6.x
>>>
>>> No additional permissions are required to directly exploit the PHP
code
>>> execution flaw on CKEditor 7.x.
>>>
>>> -------- VERSIONS AFFECTED
>>> ---------------------------------------------------
>>>
>>>   * FCKeditor 6.x-2.x versions prior to 6.x-2.3.
>>>   * CKEditor 6.x-1.x versions prior to 6.x-1.9.
>>>   * CKEditor 7.x-1.x versions prior to 7.x-1.7.
>>>
>>> Drupal core is not affected. If you do not use the contributed
CKEditor
>> -
>>> WYSIWYG HTML editor [4] module, there is nothing you need to do.
>>>
>>> -------- SOLUTION
>>> ------------------------------------------------------------
>>>
>>> Install the latest version:
>>>
>>>   * If you use the FCKeditor module for Drupal 6.x, upgrade to
>>> FCKeditor
>>>     6.x-2.3 [5].
>>>   * If you use the CKEditor module for Drupal 6.x, upgrade to CKEditor
>>>   6.x-1.9
>>>     [6].
>>>   * If you use the CKEditor module for Drupal 7.x, upgrade to CKEditor
>>>   7.x-1.7
>>>     [7].
>>>
>>> See also the CKEditor - WYSIWYG HTML editor [8] project page.
>>>
>>> -------- REPORTED BY
>>> ---------------------------------------------------------
>>>
>>>   * Heine Deelstra [9] of the Drupal Security Team
>>>
>>> -------- FIXED BY
>>> ------------------------------------------------------------
>>>
>>>   * Wiktor Walc [10] the module maintainer
>>>
>>> -------- CONTACT AND MORE INFORMATION
>>> ----------------------------------------
>>>
>>> The Drupal security team can be reached at security at drupal.org or
via
>>> the
>>> contact form at http://drupal.org/contact [11].
>>>
>>> Learn more about the Drupal Security team and their policies [12],
>> writing
>>> secure code for Drupal [13], and securing your site [14].
>>>
>>>
>>> [1] http://drupal.org/project/ckeditor
>>> [2] http://drupal.org/project/fckeditor
>>> [3] http://drupal.orgteam/risk-levels
>>> [4] http://drupal.org/project/ckeditor
>>> [5] http://drupal.org/node/1482442
>>> [6] http://drupal.org/node/1482480
>>> [7] http://drupal.org/node/1482466
>>> [8] http://drupal.org/project/ckeditor
>>> [9] http://drupal.org/user/17943
>>> [10] http://drupal.org/user/184556
>>> [11] http://drupal.org/contact
>>> [12] http://drupal.org/security-team
>>> [13] http://drupal.org/writing-secure-code
>>> [14] http://drupal.org/security/secure-configuration
>>>
>>> _______________________________________________
>>> Security-news mailing list
>>> Security-news@...pal.org
>>> http://lists.drupal.org/mailman/listinfo/security-news
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists