# Exploit Title: Persistent XSS in wysiwyg CKEditor <4.1 Drupal 6.x & 7.x
# Date: 15/05/2013
# Exploit Author: r0ng
# Vendor Homepage: http://www.websitesecurityscan.net, http://www.hackers2devnull.blogspot.co.uk
# Software Links: http://ckeditor.com/release/CKEditor-4.0.3, http://drupal.org/download
# Version: CKEditor <4.1, wysiwyg (all versions), Drupal 6.x and 7.x
# Tested on: Firefox 21, IE 10, Chrome (v.26 now blocks it, unsure when this change was implemented)
# Sites affected: approximately 180,000 drupal sites use ckeditor (http://drupal.org/project/usage/ckeditor)

# Configuration:
# -Default installation of Drupal 6.x and 7.x
# -Default input filters (filtered HTML, disable rich text)

[+] Vulnerability:

By posting the following vector into a comment or a content post, a hidden iframe executes unrestricted javascript when viewed in edit mode (document.cookie is accessible). The attack vector is concealed when viewing the post normally and can be exploited by persuading the admin to edit a user's post or by them following a direct link, e.g.: http://website/node/4/edit.


[+] Vector - hidden iframe with URL encoded script tags

<iframe src="data:text/html; charset=utf-8,%3cscript%3ealert(document.cookie);%3c/script%3e" width="1" height="1" frameborder="0"></iframe>


[+] Disclosure and Fix:

This was disclosed to Drupal on 20/01/13, and was fixed with the release of ckeditor 4.1 (21/03/13).