[Security-news] SA-CONTRIB-2014-098 - CKEditor - Cross Site Scripting (XSS)
security-news at drupal.org
security-news at drupal.org
Wed Oct 15 19:32:55 UTC 2014
View online: https://www.drupal.org/node/2357029
* Advisory ID: DRUPAL-SA-CONTRIB-2014-098
* Project: CKEditor - WYSIWYG HTML editor [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2014-October-15
* Security risk: 16/25 ( Critical)
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The CKEditor module (and its predecessor, FCKeditor module) allows Drupal to
replace textarea fields with CKEditor 3.x/4.x (FCKeditor 2.x in case of
FCKeditor module) - a visual HTML editor, sometimes called WYSIWYG editor.
Both modules define a function, called via an ajax request, that filters text
before passing it into the editor, to prevent certain cross site scripting
attacks on content edits (that the JavaScript library might not handle).
Because the function did not check a CSRF token for anonymous users, it was
possible to perform reflected XSS against anonymous users via CSRF.
The problem existed in CKEditor/FCKeditor modules for Drupal, not in
JavaScript libraries with the same names.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* CKEditor 7.x-1.x versions prior to 7.x-1.15.
* CKEditor 6.x-1.x versions prior to 6.x-1.14.
* FCKeditor 6.x-2.x versions prior to 6.x-2.3.
Drupal core is not affected. If you do not use the contributed CKEditor -
WYSIWYG HTML editor [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the CKEditor module for Drupal 7.x, upgrade to CKEditor
7.x-1.16 [5]
* If you use the CKEditor module for Drupal 6.x, upgrade to CKEditor
6.x-1.15 [6]
* If you use the FCKeditor module for Drupal 6.x, upgrade to FCKeditor
6.x-2.4 [7]
Also see the CKEditor - WYSIWYG HTML editor [8] project page.
-------- REPORTED BY
---------------------------------------------------------
* Antonio Sánchez [9]
-------- FIXED BY
------------------------------------------------------------
* Wiktor Walc [10] the module maintainer
* Nguyễn Hải Nam [11] the module maintainer
* Matt Vance [12] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [13] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at
https://www.drupal.org/contact [14].
Learn more about the Drupal Security team and their policies [15], writing
secure code for Drupal [16], and securing your site [17].
[1] https://www.drupal.org/project/ckeditor
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/ckeditor
[5] https://www.drupal.org/node/2356563
[6] https://www.drupal.org/node/2356565
[7] https://www.drupal.org/node/2356557
[8] https://www.drupal.org/project/ckeditor
[9] https://www.drupal.org/user/2957675
[10] https://www.drupal.org/u/wwalc
[11] https://www.drupal.org/u/jcisio
[12] https://www.drupal.org/u/matt-v.
[13] https://www.drupal.org/u/greggles
[14] https://www.drupal.org/contact
[15] https://www.drupal.org/security-team
[16] https://www.drupal.org/writing-secure-code
[17] https://www.drupal.org/security/secure-configuration
More information about the Security-news
mailing list