New dangerous vulnerabilities in TinyMCE and CKEditor

Tuesday, October 27, 2020, 10:06 GMT

The Researchers: David Bimmel, Joost Vondeling, Ramòn Janssen, discovered a new vulnerability in TinyMCE and CKEditor could allow to exploit data from users via xss, coss site scripting.



DETAILS:

PDW File Browser for the TinyMCE and CKEditor WYSIWYG editors:

  1. Copy pdw_file_browser folder to the plugins folder under tiny_mce (/tiny_mce/plugins/)
  2. See source code for how to add the plugin to your editor setup.

TinyMCE

$().ready(function() {
  
  $('textarea#example1').tinymce({
    // Location of TinyMCE script
    script_url : "../javascript/tiny_mce/tiny_mce.js",
    // General options
    theme : "advanced",
    skin : "o2k7",
    plugins : "safari, pagebreak, style, layer, table, save, advhr, advimage, advlink, emotions, iespell, inlinepopups, insertdatetime, preview, media, searchreplace, print, contextmenu, paste, directionality, fullscreen, noneditable, visualchars, nonbreaking, xhtmlxtras, template",
    file_browser_callback : "filebrowser",
 
    // Theme options
    theme_advanced_buttons1 : "image, media, link",
    theme_advanced_buttons2 : "",
    theme_advanced_toolbar_location : "top",
    theme_advanced_toolbar_align : "left",
    
    height : '300',
    width : '450'
  });
});
function filebrowser(field_name, url, type, win) {
  
  fileBrowserURL = "/path/to/file/browser/index.php?editor=tinymce&filter=" + type;
    
  tinyMCE.activeEditor.windowManager.open({
      title: "PDW File Browser",
      url: fileBrowserURL,
      width: 950,
      height: 650,
      inline: 0,
      maximizable: 1,
      close_previous: 0
    },{
      window : win,
      input : field_name
    }
  );    
}

CKEditor

<textarea cols="80" id="editor1" name="editor1" rows="10"></textarea>
<script type="text/javascript"> 
//<![CDATA[
 
// This call can be placed at any point after the
// <textarea>, or inside a <head><script> in a
// window.onload event handler.
 
// Replace the <textarea id="editor1"> with an CKEditor
// instance, using default configurations.
CKEDITOR.replace( 'editor1', {
        filebrowserBrowseUrl : '/path/to/pdw_file_browser/index.php?editor=ckeditor',
        filebrowserImageBrowseUrl : '/path/to/pdw_file_browser/index.php?editor=ckeditor&filter=image',
        filebrowserFlashBrowseUrl : '/path/to/pdw_file_browser/index.php?editor=ckeditor&filter=flash',
    }
);
 
//]]>
</script>

References:

github.com/GuidoNeele/PDW-File-Browser