mailing list archives
Re: Drupal CKEditor 3.0 - 3.6.2 - Persistent EventHandler XSS
From: "MustLive" <mustlive () websecurity com ua>
Date: Sun, 22 Jan 2012 20:41:53 +0200
Concerning your advisory about vulnerability in Drupal CKEditor 3.0 - 3.6.2 - Persistent EventHandler XSS
(http://securityvulns.com/docs27577.html), then I'll note, that I've wrote already about this vulnerability last year.
As about this Persistent XSS in Drupal - SecurityVulns ID: 11748 (http://securityvulns.com/docs26584.html and
http://seclists.org/fulldisclosure/2011/Jun/501), as about similar Reflected XSS in Drupal - SecurityVulns ID: 11750
(http://securityvulns.com/docs26588.html and http://seclists.org/fulldisclosure/2011/Jun/529). These XSS attacks can be
done as via FCKeditor/CKEditor, as via TinyMCE and any other rich editors (with preview functionality).
As I've mentioned in publications at my site, these vulnerabilities were found by me at 16.08.2010 (during security
audit). After my brief informing about them at 11.12.2010 and detailed informing at 13.04.2011 to Drupal developers,
they were ignored and not fixed (so it's no wonder that you've found them). I've announced these vulnerabilities at
12.04.2011 and 13.04.2011, and after giving enough time for developers to fix, they were disclosed at 24.06.2011 and
About such XSS vulnerabilities in forms with rich editors I've wrote in April 2011 in my article "Cross-Site Scripting
vulnerabilities in forms"
No claims to you concerning that you've found the same hole, as I've found in 2010. Such things happen (and quite often
people found holes, which I've already found and disclosed earlier), and if you've missed these my findings, about
which I wrote in my advisories and article, then I reminded you. But, please, draw attention to above-mentioned
reflected XSS attack via forms with rich editors in Drupal (which is similar to persistent XSS, but much more forms are
affected and the attack is easier to conduct, because the form_token is not required).
Because these vulnerabilities concern Drupal itself, not only CKEditor (such attack can also be conducted via
FCKeditor, TinyMCE and any other rich editors, and it's Drupal's filter fault), I've not informed CKEditor developers,
but only Drupal developers. So from your side, you've did some job to also draw their attention to this issue (and
maybe if Drupal is ignoring, then there will be some moving from other side to fix these issues, but it was better for
Drupal developers to fix it).
18th January 2012 - Developers of CKEditor has been contacted several times, nothing has happened in two weeks and
the advisory has been available to the public via bugtrackers. Vulnerability released to the general public.
Taking into account, that I've disclosed this hole at 24th July 2011, then it was available for the public from that
Best wishes & regards,
Administrator of Websecurity web site
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/