search

WBCE / WBCE_CMS

Core package of WBCE CMS. This package includes the core and the default addons. Visit https://wbce.org (DE) or https://wbce-cms.org (EN) to learn more or to join the WBCE CMS community.
https://wbce-cms.org
GNU General Public License v2.0
31 stars 22 forks source link

xss in via Content Modul #521

Closed datnguyen765 closed 1 year ago

datnguyen765 commented 1 year ago

Hi Team, I found small xss in via Content Modul

steps:

  1. Login account administrator
  2. Create new page and click Source >> insert payload xss: 
    <img src=x onerror=alert(1)>
  3. Save
  4. click Viewr page >> xss triage POC POC1 POC2
instantflorian commented 1 year ago

Thanks for your advice. The CKEditor is configured in a way that allows most flexibility. Website owners have to make sure that no malicious users gain backend access. If someone administrates a website with a lot of / not well-known (potentially malicious) users, there can be content filters for the CKEditor activated via the editor's own configuration files (see https://ckeditor.com/docs/ckeditor4/latest/guide/dev_acf.html), but ACF has in our eyes too many disadvantages to activate this by default. But maybe it's an idea to publish a "CKEditor ACF edition" beside the existing editions (default/developer).

instantflorian commented 1 year ago

It's really easy. If you don't trust your backend users, just go to /modules/ckeditor/ckeditor/config.js and change config.allowedContent = true; to config.allowedContent = false;