While doing a regular web application penetration test for one of our clients, I found a reflected cross site scripting in a very popular application, CKEditor, and more precisely in the module that this application has for Drupal. It was sort of curious, because the vulnerable page was actually the one in charge of checking for this kind of vulnerabilities! A detailed description of the issue, affected version, and other important information can be found in the following Drupal security advisory: https://www.drupal.org/node/2357029.
As a quick summary, it is important to emphasise that <script> tags are intentionally allowed by the CKEditor module, as there is a function named “filter_xss” which is used to deal with XSS attacks that CKEditor can’t deal with. CKEditor is able to handle the <script> tag and hide it in WYSIWYG mode. The real source of the problem is the value of the third argument in the “drupal_valid_token” function, which for some reason was set to TRUE back in 2012. If this argument was set to FALSE the attack would not work, as the token check would protect the victim from any form submissions from external websites. in the vulnerable versions, the attack works for anonymous users as the token validation is skipped.
A proof of concept example is the specially crafted POST request shown below, made to the following CKEditor related page: www.example.com/ckeditor/xss:
POST /ckeditor/xss
text=<script>alert('XSS')</script>&input_format=filtered_html&token=<token>
After a stretch collaboration with the CKEditor main maintainer and a few guys from the Drupal security team, the issue was fixed and a patch was released.