xss vulnerability of kindeditor open source rich text editing framework

Posted by barello at 2020-02-27

*Original author: Tian Long, ye long, security service department of Weston, this article is an original reward plan of freebuf, and can't be reproduced without permission

0 * 01 Preface

Kindeditor is a set of open-source online HTML editor, which is mainly used to let users get the WYSIWYG editing effect on the website. Developers can use kindeditor to replace the traditional multi line text input box (textarea) with the visual rich text input box. Using JavaScript, kindeditor can integrate with Java,. Net, PHP, ASP and other programs seamlessly. It is suitable for CMS, mall, forum, blog, Wiki, email and other Internet applications.

In the recent penetration test, I came into contact with the kindeditor input framework. After several tests, I found that the protection of the code to XSS is quite comprehensive. I feel that it's open source code, but it's not the same, but I always feel that it's wrong, and I just give up and continue. Finally, there is a XSS injection problem in the framework, and I will use it when I use the framework User input is stored in the database and displayed to other users, which leads to a huge storage XSS vulnerability.

0 × 02 test process

First, you need to find a website (girlfriend) using this framework, and check the loaded JS file to confirm whether it contains the kindeditor framework (the appearance is as follows):

Then start the test and type a character at will

In the example website we are looking for, the submitted data is encoded locally, but it is obvious that it is ASCII hex encoding, and the decoding is plaintext.

Then try to enter the angle brackets that can be introduced into the label < > (the < br > in the figure below is added by the client itself)

After decoding, we can see that the developers locally encode the angle brackets in HTML, burp them, intercept and replay them directly, and encode them in the client.

But when we input < script >, we see that the returned result has reset the content of this location to test1 (that is, user name)

This means that the filtering mechanism in the server carries out regular matching filtering. As long as < > contains specific content, it will be directly replaced with a fixed value, so we can not successfully introduce the < > tag, and it is difficult to add the < script > tag, but the content in this location can not be injected with the attribute tag, so we still need to think of a new way to pass the server first Filter mechanism.

Try to code < > but unfortunately, after coding, it is found that the returned content is either garbled or the label is directly inserted as content, as shown in the following figure (if the label is blue).

This means that the server is over, but the kindeditor has escaped the output content so that it cannot be inserted into the HTML page as a tag.

Then try to enter an empty label < >

After entering the empty tag, we can see that the < script > tag has been returned completely, but we always feel that the open source code is not so simple. Sure enough, the alert statement has not been executed on the relevant page, but in the HTML document, we can see that < script > has been successfully recognized as a tag.

The reason for the analysis should be that when our < script > tag is inserted into the HTML document, the entire page has been loaded, so the < script > tag is not executed. Since the < script > tag has not been executed, we can trigger execution through the event scheme, so we started to introduce onclick event,

From the returned results, everything is so perfect, and I feel like I'm going to win. However, when we click the mouse, all our fantasies are shattered, and a new tab pops up, and then there's nothing left. It's a good pop-up window. view pages

Perfect open source code, modified the event handler function, so it can't be executed successfully. By testing other events and using the JavaScript pseudo protocol, it's the same problem, underlined after on and Java. It's open source code. I'll give up my girlfriend.

But I always feel that there is a problem. It shouldn't be the end. I started to reorganize my thinking: < empty tags can help us bypass the basic filtering mechanism of the server, But the newly added < script > can't be executed successfully, and the event handling function has been cleaned by kindeditor. Can you try other tags instead of other tags triggered by event monitoring? I found them and successfully passed through the containment of kindeditor.

Finally, I saw our favorite pop-up window and finished work. (it's not convenient to disclose the specific injection code because it's also the framework author's contact.).

0 × 03 source code analysis

In order to determine whether it is a problem for the website developers or the kindeditor itself, we go to the official website to download its source code for analysis.

The directory structure of the whole project is as follows

Open the KindEditor-all.js file and start the analysis.

If the kindeditor itself does processing, it must be defined by the keyword filter, which is a global search filter. It is found that the filter related parameters in the code are called by the "formathtml" function.

Find the definition of the function

From the function definition, we can see that kindeditor does filter the input content, but it does not deal with all the input situations perfectly. By analyzing the source code, we can see that the kindeditor does not filter the tags we input, which causes XSS injection problems.

0 * 04 summary

From the case page of the official website of kindeditor, we can see that there are still many websites in China that use relevant technologies. Here are some manufacturers that use these websites.

However, after testing the above-mentioned websites, we found that some of them are no longer using relevant codes, but from the GitHub home page of kindeditor, we can see that a large number of people pay attention to this project, which proves that there are still many people using this framework. As long as it is used, there may be such a storage type XSS vulnerability. As for the harm of XSS vulnerability, there is no need to talk about it.

0 × 05 preventive measures

In the process of development, developers can not rely on the third-party library to prevent, or they need to code HTML when outputting content, or improve the existing filtering rules, so as to eliminate similar injection attacks.

0 x 06 thanks

Thank you for binye's guidance on my front-end technology in the whole test process. This girlfriend is half of you.

*Original author: Tian Long, ye long, security service department of Weston, this article is an original reward plan of freebuf, and can't be reproduced without permission