← Advisories

KindEditor 4.1.2 (name parameter) Reflected XSS Vulnerability

Medium

Advisory ID

ZSL-2012-5100

Release Date

23 August 2012

Vendor

Shanghai Hao Yue Software Co., Ltd. - http://www.kindeditor.net

Affected Version

4.1.2 and 4.0.6

CVE

N/A

Tested On

Microsoft Windows 7 Ultimate SP1 (EN), Apache 2.4.2 (Win32), PHP 5.4.4, MySQL 5.5.25a

Summary

KindEditor online HTML editor is a set of open source, mainly for users on the site to get WYSIWYG editing effects, developers can replace the traditional multi-line text input box (textarea) KindEditor rich visualization text input box.

Description

KindEditor is prone to a reflected cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the 'name' parameter thru the 'index.php' script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

/index.php:
-----------
14: editor = K.create('textarea[name="<?php echo $name; ?>"]', {

Proof of Concept

kindeditor_xss.txtTXT

Disclosure Timeline

N/A

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://packetstormsecurity.org/files/115819

[2]http://cxsecurity.com/issue/WLB-2012080210

[3]http://www.securityfocus.com/bid/55172

[4]http://xforce.iss.net/xforce/xfdb/77951

Changelog

23.08.2012Initial release

24.08.2012Added reference [3]

26.08.2012Added reference [4]