Researcher details nasty XSS flaw in popular web editor
First denial, then anger, then DDoS, then patching.
A tool that's popular with Microsoft's in-house developers, the RadEditor HTML editor, contains a dangerous cross-site scripting (XSS) vulnerability, researcher GS McNamara says.
The editor was developed by Telerik and used in trusted in-house code in many big enterprises and across Redmond products including MSDN, CodePlex, TechNet, MCMS and as an alternative for SharePoint.
McNamara of CGI Federal said the flaw (CVE-2014-4958) was dangerous leading to typical XSS impacts including potential theft of personal information and sessions, and drive-by downloads.
"You've got these big websites that may use [RadEditor] which you'd expect would run good input validation, but perhaps some of these mid to small websites did not and just dropped it in and went live," McNamara told Vulture South.
"It is a great corridor to put malicious scripts into content databases."
The XSS wasn't immediately obvious and was missed by a commercial vulnerability scanner. Telerik, he said, didn't push deep enough to find vulnerabilities.
"You can cover the easy cases of XSS, the opening script tags and closing script tags, but you really need to go deeper, to look into edge cases," he said.
Specifically it was a large flaw in the way existing input validation security filters worked in unison which failed to cover lesser-known attack vectors drafted some time ago by WhiteHat Security founder Jeremiah Grossman.
Telerik senior software developer Nikodim Lazarov detailed the flaw in a blog and thanked McNamara for his research.
RadEditor does not sanitie CSS expressions from the content out of the box at the moment ... we see it fit to add an extra layer of built-in sanitising that strips CSS expressions unconditionally from the Editor content as of Q3 2014. This way, you will get this feature out of the box and you will have one thing less to worry about when it comes to securing from XSS attacks.
The program's use of a strange format for data sent between servers was likely reason the commercial scanner did not detect the XSS, and also what piqued McNamara's curiosity prompting some "obsessive" manual checks.
McNamara alleged Telerik's front-of-house support staff rejected the flaw's existence and told him to upgrade to a work around fix which only addressed half of the attack vector.
He responded with exploit code, and a message to an internal security staffer. A patch was due out later this month.
His blog was knocked offline by a distributed denial of service attack the night he published information from traffic originating from eight IPs across the Netherlands, China and the US. It targeted a component of WordPress blogs that sent link back traffic to other blogs, thereby more quickly exhausting compute resources.
It was unknown if the attack, the first of its kind to hit his blog, was in relation to his disclosure.
"Most of the company's user base is likely unaware that they silently integrated a high-risk vulnerability into their site. System owners signed off on this without knowing," he said in an email.
"I hope the news gets the word out.
McNamara plans to test other editors for similar vulnerabilities. ®