看板 Bugtraq 關於我們 聯絡資訊
發信人Robin.Bailey@dionach.com (Robin Bailey),
看板Bugtraq
標 題FCKedtior 2.6.10 Reflected Cross-Site Scripting (XSS)
發信站NCTU CS FreeBSD Server (Mon Jun 2 21:26:21 2014)
轉信站ptt!csnews.cs.nctu!news.cednctu!FreeBSD.cs.nctu!.POSTED!securityfocus.
Class=09=09Cross-Site Scripting Remote=09Yes Published=092nd June 2014 Credit=09=09Robin Bailey of Dionach (vulns@dionach.com) Vulnerable=09FCKeditor <=3D 2.6.10 FCKeditor is prone to a reflected cross-site scripting (XSS) vulnerability= due to inadequately sanitised user input. An attacker may leverage this i= ssue to run JavaScript in the context of a victim's browser. FCKeditor 2.6.10 is known to be vulnerable; older versions may also be vul= nerable.=20 Note that this issue is related to CVE-2012-4000, which was a cross-site s= cripting vulnerability in the values of the textinputs[] array passed to t= he spellchecker.php page. To resolve this issue the values of this array w= ere encoded with htmlspecialchars() before being output to the page; howev= er the array keys were still echoed unencoded. PoC: POST http://[target]/editor/dialog/fck_spellerpages/spellerpages/server-sc= ripts/spellchecker.php textinputs[1</script><script>alert(document.cookie);//</script>]=3Dzz The vendor was notified of this issue, and FCKeditor 2.6.11 was released t= o address this vulnerability. See the following vendor announcement: http://ckeditor.com/blog/FCKeditor-2.6.11-Released Timeline: 28/05/2014=09Vulnerability identified 28/05/2014=09Initial vendor contact 28/05/2014=09Vendor response to contact 28/05/2014=09Vulnerability disclosed to vendor 29/05/2014=09Vendor confirms vulnerability 02/06/2014=09Vendor releases patch 02/06/2014=09Public disclosure of vulnerability ______________________________________________________________________ Disclaimer: This e-mail and any attachments are confidential. It may contain privileged information and is intended for the named addressee(s) only. It must not be distributed without Dionach Ltd consent.= If you are not the intended recipient, please notify the sender immediatel= y and destroy this e-mail.=20 Any unauthorised copying, disclosure or distribution of the material in th= is e-mail is strictly forbidden. Unless expressly stated, opinions in this= e-mail are those of the individual sender, and not of Dionach Ltd. Dionach Ltd, Greenford House, London Road, Wheatley, Oxford OX33 1JH Compa= ny Registration No. 03908168, VAT No. GB750661242 ______________________________________________________________________