ID CVE-2014-4958 Type cve Reporter cve@mitre.org Modified 2015-09-16T19:30:00
Description
Cross-site scripting (XSS) vulnerability in Telerik UI for ASP.NET AJAX RadEditor control 2014.1.403.35, 2009.3.1208.20, and other versions allows remote attackers to inject arbitrary web script or HTML via CSS expressions in style attributes.
{"securityvulns": [{"lastseen": "2018-08-31T11:10:54", "bulletinFamily": "software", "description": "\r\n\r\nAll versions of the popular UI for ASP.NET AJAX RadEditor Control product by Telerik may be affected by a high-risk stored attribute-based cross-site scripting (XSS) vulnerability that is assigned CVE-2014-4958. This WYSIWYG rich text editor is \u201c...what Microsoft chose to use in MSDN, CodePlex, TechNet, MCMS and even as an alternative to the default editor in SharePoint.\u201d\r\n\r\nPersonally tested and confirmed are versions: 2014.1.403.35 (much newer) and 2009.3.1208.20 (much older) using Internet Explorer 8, version 8.0.7601.17514. However, all versions from Telerik at this time may be vulnerable and will continue to be until a patched is released. A workaround may be available.\r\n\r\nMore information on the vulnerability: http://maverickblogging.com/disclosing-cve-2014-4958-stored-attribute-based-cross-site-scripting-xss-vulnerability-in-telerik-ui-for-asp-net-ajax-radeditor-control/\r\n\r\nRemediation: Telerik states: We have applied a patch to the editor that will be delivered with our Q3 edition of the controls that should be released towards the end of October. A blog post on the issue has been published here: http://blogs.telerik.com/blogs/14-09-24/securing-radeditor-content-and-preventing-xss-attacks\r\n\r\nAdditional credit goes to Tyler Hoyle and the rest of my team in CGI Federal\u2019s Emerging Technologies Security Practice for their hard work.\r\n\r\n", "modified": "2014-10-14T00:00:00", "published": "2014-10-14T00:00:00", "id": "SECURITYVULNS:DOC:31198", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31198", "title": "CVE-2014-4958: Stored Attribute-Based Cross-Site Scripting (XSS) Vulnerability in Telerik UI for ASP.NET AJAX RadEditor Control", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:09:57", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2014-10-14T00:00:00", "published": "2014-10-14T00:00:00", "id": "SECURITYVULNS:VULN:14008", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14008", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "threatpost": [{"lastseen": "2018-10-06T22:58:04", "bulletinFamily": "info", "description": "All versions of an HTML editor used in several Microsoft technologies, including ASP.NET, suffer from a high-risk cross-site scripting (XSS) vulnerability that could allow an attacker to inject malicious script and glean private information.\n\nThe problem exists in all versions of RadEditor, a WYSIWYG text editor manufactured by Bulgaria-based firm Telerik, according to security researcher G.S. McNamara, who disclosed the vulnerability on [his blog late last week](<http://maverickblogging.com/disclosing-cve-2014-4958-stored-attribute-based-cross-site-scripting-xss-vulnerability-in-telerik-ui-for-asp-net-ajax-radeditor-control/>).\n\n\u201cTechnically speaking, this is a massive hole in how existing input validation security filters work in unison,\u201d McNamara said in an email Thursday to Threatpost regarding the vulnerability.\n\nThe editor, which allows users to input rich-text, is used to varying degrees in Microsoft products like [MSDN, CodePlex, TechNet, and MCMS, along with some Sharepoint and ASP.NET implementations](<http://demos.telerik.com/aspnet-ajax/editor/examples/overview/defaultcs.aspx>).\n\n\u201cIt\u2019s a silent killer, too, because at least one commercial penetration-testing tool failed to find it\u201d McNamara said, \u201cYou just get a false negative.\u201d\n\nMcNamara initially found the vulnerability (CVE-2014-4958) in a 2009 version (2009.3.1208.20) of the product on Internet Explorer along with a 2014 version but suggests it could have existed in previous iterations of the editor.\n\n\u201cI just had a hunch and followed it obsessively, manually,\u201d McNamara said of his search for the bug, which he first dug up on July 9.\n\nFrom there it took about two months of going back and forth with the company.\n\nWhen he first contacted Telerik\u2019s Customer Support department, it insisted the bug had already been fixed. To prove his case McNamara forwarded the company his exploit code. When Telerik still wouldn\u2019t put him in touch with anyone in charge of security, McNamara ultimately had to go through what he calls \u201cunofficial channels,\u201d by sending a personal email to a Telerik employee\u2019s Gmail account in late August, to finally get the ball rolling.\n\nIt wasn\u2019t until earlier this month that the researcher and the company agreed to coordinate a disclosure. Yet after two weeks of radio silence from Telerik \u2013 McNamara claims he made multiple phone calls, emails, requests to high-level account managers \u2013 he decided to disclose the bug independently \u2014 only to have the company release its information \u201cout of the blue,\u201d hours before he was planning on releasing his, last Wednesday.\n\n\u201cResolving this politely was tough,\u201d McNamara admits, claiming the issue lasted as long as it did due to a lapse in responsibility.\n\n\u201cThis is a technical product sold to technical developers, and Telerik wanted the developers to share the responsibility of security. The developers probably didn\u2019t know that,\u201d McNamara said.\n\nWhile RadEditor\u2019s filters cover some attack vectors \u2013 namely the RemoveScripts filter to strip out script tags \u2013 the attack technique that McNamara used \u201cis not your typical XSS.\u201d\n\n\u201cBy using lesser-known attacks I found a way through,\u201d McNamara said, adding that he put to use some old research by WhiteHat Security\u2019s Jeremiah Grossman to help dig up the vulnerability.\n\nSpecifically the vulnerability employs attribute-based cross-site scripting without relying on JavaScript tags. It\u2019s also harder to detect because the web editor has to process many different obfuscated elements, notably dynamic properties like CSS Expressions, used in older builds of IE, in addition to JavaScript.\n\nIn a blog entry Telerik [posted on Wednesday](<http://blogs.telerik.com/blogs/14-09-24/securing-radeditor-content-and-preventing-xss-attacks>) the company addressed the issue and gave credit to McNamara but stood pat on its stance that the responsibility of sanitizing content to prevent threats should fall to the developer.\n\n\u201cIt is always the duty of the developer to implement the necessary content validation,\u201d Nikodim Lazarov, one of the company\u2019s senior software developers wrote.\n\nThe company is slated to push out a patch for the issue but not until it updates the Q3 edition of its controls, in late October. In the meantime Telerik is [giving users a workaround](<http://feedback.telerik.com/Project/108/Feedback/Details/137364-prevent-possible-xss-attack-in-radeditor-using-malicious-content-in-ie>) that it\u2019s strongly recommending users follow until its patch is pushed.\n\nMcNamara, who works as an application security engineer at the IT services provider CGI, says that he\u2019s planning to do further research in his spare time on other rich text editors like RadEditor to see if he can find similar problems.\n\n\u201cMost of the company\u2019s user base is likely unaware that they silently integrated a high-risk vulnerability into their site,\u201d McNamara says of bug in closing, \u201cSystem owners signed off on this without knowing.\u201d\n", "modified": "2014-10-01T19:22:03", "published": "2014-09-29T12:15:03", "id": "THREATPOST:DDF98CD337434196370FDCA7D39C0ED0", "href": "https://threatpost.com/radeditor-web-editor-vulnerable-to-xss-attacks/108594/", "type": "threatpost", "title": "Web Editor Vulnerable To XSS Attacks", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}]}
