KindEditor 4.1.2 (name parameter) Reflected XSS Vulnerability


Vendor: Shanghai Hao Yue Software Co., Ltd.
Product web page: http://www.kindeditor.net
Affected version: 4.1.2 and 4.0.6

Summary: KindEditor online HTML editor is a set of open source, mainly for
users on the site to get WYSIWYG editing effects, developers can replace the
traditional multi-line text input box (textarea) KindEditor rich visualization
text input box.

Desc: KindEditor is prone to a reflected cross-site scripting vulnerability.
This issue is due to a failure in the application to properly sanitize user-supplied
input to the 'name' parameter thru the 'index.php' script. Attackers can exploit this
weakness to execute arbitrary HTML and script code in a user's browser session.


--------------------------------- snip ---------------------------------
/index.php:
----------

Line 14: editor = K.create('textarea[name="<?php echo $name; ?>"]', {

--------------------------------- snip ---------------------------------


Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Apache 2.4.2 (Win32)
           PHP 5.4.4
           MySQL 5.5.25a


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2012-5100
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5100.php


21.08.2012

---


http://localhost/kindeditor/index.php?name=<pre><script>alert('XSS');</script>by ZSL!</pre>