Zero Science Lab » KindEditor 4.1.2 (name parameter) Reflected XSS Vulnerability

KindEditor 4.1.2 (name parameter) Reflected XSS Vulnerability

Title: KindEditor 4.1.2 (name parameter) Reflected XSS Vulnerability
Advisory ID: ZSL-2012-5100
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 23.08.2012

Summary

KindEditor online HTML editor is a set of open source, mainly for users on the site to get WYSIWYG editing effects, developers can replace the traditional multi-line text input box (textarea) KindEditor rich visualization text input box.

Description

KindEditor is prone to a reflected cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the 'name' parameter thru the 'index.php' script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

--------------------------------------------------------------------------------


/index.php:

-----------

14: editor = K.create('textarea[name="<?php echo $name; ?>"]', {

--------------------------------------------------------------------------------

Vendor

Shanghai Hao Yue Software Co., Ltd. - http://www.kindeditor.net

Affected Version

4.1.2 and 4.0.6

Tested On

Microsoft Windows 7 Ultimate SP1 (EN)
Apache 2.4.2 (Win32)
PHP 5.4.4
MySQL 5.5.25a

Vendor Status

N/A

PoC

kindeditor_xss.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] http://packetstormsecurity.org/files/115819
[2] http://cxsecurity.com/issue/WLB-2012080210
[3] http://www.securityfocus.com/bid/55172
[4] http://xforce.iss.net/xforce/xfdb/77951

Changelog

[23.08.2012] - Initial release
[24.08.2012] - Added reference [3]
[26.08.2012] - Added reference [4]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk