exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Drupal CKEditor 3.6.2 Cross Site Scripting

Drupal CKEditor 3.6.2 Cross Site Scripting
Posted Jan 18, 2012
Authored by MaXe

Drupal CKEditor versions 3.0 through 3.6.2 suffer from a persistent cross site scripting vulnerability that can be triggered by the addition of an event handler.

tags | exploit, xss
SHA-256 | 93acfce42fd57f2a4a004f9adac2686bf97ded904556c3a836bf23f10d5f3868

Drupal CKEditor 3.6.2 Cross Site Scripting

Change Mirror Download
# Exploit Title: Drupal CKEditor 3.0 - 3.6.2 - Persistent EventHandler XSS
# Google Dork: "inurl:"sites/all/modules/ckeditor" -drupalcode.org"
# Google Results: Approximately 379.000 results
# Date: 18th January 2012
# Author: MaXe @InterN0T (Found in a private Hatforce.com Penetration
# Software Link: http://ckeditor.com/ & http://drupal.org/node/1332022
# Version: 3.0 - Current 3.6.2 (Drupal module: 6.x-1.8)
# Screenshot: http://i.imgur.com/8TP6w.png
# Tested on: Windows + FireFox 8.0 & Internet Explorer 8.0

Drupal CKEditor - Persistent / Stored Cross-Site Scripting

Versions Affected: 3.0 - 3.6.2 (Developers confirm all versions since 3.0
are affected.)

CKEditor is a text editor to be used inside web pages. It's a WYSIWYG
editor, which
means that the text being edited on it looks as similar as possible to the
results users
have when publishing it. It brings to the web common editing features
found on desktop
editing applications like Microsoft Word and OpenOffice.

External Links:

Credits: MaXe (@InterN0T) - Hatforce.com

-:: The Advisory ::-
CKEditor is prone to Persistent Cross-Site Scripting within the actual
editor, as
it is possible for an attacker could maliciously inject eventhandlers
serving java-
script code in preview / editing in html mode.

If an attacker injects an eventhandler into an image, such as
then the javascript will execute, even if the data is saved and previewed
in editing
mode later on. (The XSS will only executing during preview / editing in
html mode.)

If an administrator tries to edit the comment afterward, or is logged in
and browses
to the edit page of the malicious comment, then he or she will execute the
allowing attacker controlled code to run in the context of the browser.

Proof of Concept:
Switching to "raw mode" in CKEditor and then writing:
<p><img onload="alert(0);"

Will become this when it is saved:
<p><img data-cke-pa-onload="alert(0);"

If one searches for alert(0); in Firebug after the code has been injected
and executed, the location of the script will be:
Where $full_url_to_script is e.g. the following:

The content of this script is:
function onload(event) {

As there is a HTML filter in Drupal, it does not matter whether the <img>
tag is allowed in this case, as it was possible to execute the eventhandler
either way. (And even store the data.)

-:: Solution ::-
There is currently no solution, as it's not a critical bug according to
developers. See comments at: https://dev.ckeditor.com/ticket/8630 for more
At the same page there is an unofficial patch that should fix the problem,
however it seems that it will not fix the bug in Chrome.

Disclosure Information:
6th December 2011 - Vulnerability found during a private
http://www.hatforce.com Penetration Test
7th December 2011 - Researched and confirmed the vulnerability
4th January 2012 - Reported to Drupal and CKEditor via
http://drupal.org/project/ckeditor and http://dev.ckeditor.com/ and
18th January 2012 - Developers of CKEditor has been contacted several
times, nothing has happened in two weeks and the advisory has been
available to the public via bugtrackers. Vulnerability released to the
general public.
Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    26 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    18 Files
  • 21
    Jun 21st
    8 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By