Sunday, March 24, 2013

XSS on FCKeditor

What's FCKeditor?
FCKeditor is a ready-for-use open source WYSIWYG text editor from CKSource designed to bring common word processor features directly to web pages, simplifying their content creation. It aims to be lightweight and requires no client-side installation. This tool is already deprecated and was updated to CKEditor but still many open-source projects use FCKeditor.

When using Drupal and PHPList I come across something that caught my attention. The about page (fck_about.html) of FCKeditor showed a window with the User-Agent, Browser and Platform. I thought to myself: I think we can inject something into this window.

I checked the source code and voilĂ ...
document.write( '<b>User Agent<\/b><br />' + window.navigator.userAgent + '<br /><br />' ) ;
document.write( '<b>Browser<\/b><br />' + window.navigator.appName + ' ' + window.navigator.appVersion + '<br /><br />' ) ;
document.write( '<b>Platform<\/b><br />' + window.navigator.platform + '<br /><br />' ) ;

The lack of sanitizing those parameters will allow code to be executed on the browser.

To give a proof-of-concept, I used a Chrome plugin to change the User-Agent for a XSS vector.

Of course this vulnerability is not critical. It requires user interaction to exploit this. You always need to control the victims browser to execute an attack. Needless to say that if you have the victims browser the attacker didn't need to inject a XSS (IMO)...
It's a self-XSS so it needs more than a link to attack someone. It needs to be combined with other attack, like good social engineering skills. I reported this issue because even a self-XSS it's a vulnerability. It can be used to check vendors security response; what kind of vulnerabilities are most common on their products; etc.

By the way FCKeditor is still used in millions of websites and just to be sure update your version.

This issue was fixed on version 2.6.10.
We would like to announce a small update to FCKeditor. FCKeditor 2.6.10 is a minor security release that contains a fix for a recently reported issue where the About dialog window could hypothetically be used for an XSS attack provided that the user was forced by the attacker to change his browser properties.
Please note FCKeditor is a retired and no longer supported product. No further updates will be provided and it is highly recommended to upgrade to its successor, CKEditor, that is a far superior, feature-rich, and mature product.

Also present in 2.6.10 changelog:
Values displayed in the "About" dialog window were not properly escaped - reported by David Sopas.

My congrats to the CKSource team for the fast support showing that they're a company that cares about security.

No comments:

Post a Comment