Shortly after upgrading our version of CKEditor a couple months ago, we had customers start complaining that our site would not load for them. After having them install some HTTP sniffer tools we determined that their browser's request for the ckeditor.js file was not receiving a response.
We confirmed with our IIS logs that our server was sending the file. Finally it was determined that the customer had a Secure Works IPS (Intrusion Prevention System) in their network which was blocking the ckeditor.js file citing that it had malicious code in it. ( 17973 VID11387 Mozilla XPCOM Code Execution HTTP Incoming ) The browser would hang while waiting for a response until it eventually timed out several minutes later.
After whitelisting that file, our customer was able to to access our site without any problems.
Every couple weeks though, another customer of ours calls complaining about the same issue. We can't have all our customers who complain whitelist the file in their IPS, let alone the customers who haven't called. We need to resolve it, or stop using CKEditor.
I have Googled extensivley and searched thee forums but cannot find any information on this situation, nor can I find anyone else complaining of the same problem. My best guess is that a hacker somewhere has written an exploit based on the code found in ckeditor.js.
Can someone please confirm:
1) is the code in ckeditor.js really safe? (See below for the offending snippet)
2) What can be done to keep it from being blocked as malicious?
a) Work with companies like Secure Works to stop blocking the file with their devices
b) Modify the code in the file to not appear malicious
Thanks in advance for any information/help you may have on this. Below is the log file details my customer forwarded me from their Secure Works IPS that was blocking the file.
[**] [1:1717973:0] 17973 VID11387 Mozilla XPCOM Code Execution HTTP Incoming [**]
[Classification: None] [Priority: 3] [Action: DROP]
04/14/2010-17:53:55.038267 64.126.127.230:80 -> 12.107.103.85:3155
tcp TTL:119 TOS:0x0 ID:7976 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x7F608759 Ack: 0x624987C1 Win: 0xFFFF TcpLen: 20
rt=u[0];C.selectionEnd=u[1];}C.scrollLeft=v[0];C.scrollTop=v[1];
}u=v=null;y=this.state;},canUndo:false});q.ui.addButton('Maximiz
e',{label:r.maximize,command:'maximize'});q.on('mode',function()
{q.getCommand('maximize').setState(y);},null,null,100);}});})();
j.add('newpage',{init:function(l){l.addCommand('newpage',{modes:
{wysiwyg:1,source:1},exec:function(m){var n=this;m.setData(m.con
fig.newpage_html,function(){setTimeout(function(){m.fire('afterC
ommandExec',{name:n.name,command:n});},200);});m.focus();},async
:true});l.ui.addButton('NewPage',{label:l.lang.newPage,command:'
newpage'});}});i.newpage_html='';j.add('pagebreak',{init:functio
n(l){l.addCommand('pagebreak',j.pagebreakCmd);l.ui.addButton('Pa
geBreak',{label:l.lang.pagebreak,command:'pagebreak'});l.addCss(
'img.cke_pagebreak{background-image: url('+a.getUrl(this.path+'i
mages/pagebreak.gif')+');'+'background-position: center center;'
+'background-repeat: no-repeat;'+'clear: both;'+'display: block;
'+'float: none;'+'width: 100%;'+'border-top: #999999 1px dotted;
'+'border-bottom: #999999 1px dotted;'+'height: 5px;'+'}');},aft
erInit:function(l){var m=l.dataProcessor,n=m&&m.dataFilter;if(n)
n.addRules({elements:{div:function(o){var p=o.attributes,q=p&&p.
style,r=q&&o.children.length==1&&o.children[0],s=r&&r.name=='spa
n'&&r.attributes.style;if(s&&/page-break-after\s*:\s*always/i.te
st(q)&&/display\s*:\s*none/i.test(s))return l.createFakeParserEl
ement(o,'cke_pagebreak','div');}}});},requires:['fak
TAG:1 04/14/2010-17:53:55.041628 64.126.127.230:80 -> 12.107.103.85:3155
tcp TTL:119 TOS:0x0 ID:7977 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x7F608D0D Ack: 0x624987C1 Win: 0xFFFF TcpLen: 20
eobjects']});j.pagebreakCmd={exec:function(l){var m=h.createFrom
Html('<div style="page-break-after: always;"><span style="displa
y: none;"> </span></div>');..m=l.createFakeElement(m,'cke_p
agebreak','div');var n=l.getSelection().getRanges();for(var o,p=
0;p<n.length;p++){o=n[p];if(p>0)m=m.clone(true);o.splitBlock('p'
);o.insertNode(m);}}};(function(){j.add('pastefromword',{init:fu
nction(l){var m=0,n=function(){setTimeout(function(){m=0;},0);};
l.addCommand('pastefromword',{canUndo:false,exec:function(){m=1;
if(l.execCommand('paste')===false)l.on('dialogHide',function(o){
o.removeListener();n();});}});l.ui.addButton('PasteFromWord',{la
bel:l.lang.pastefromword.toolbar,command:'pastefromword'});l.on(
'paste',function(o){var p=o.data,q;if((q=p.html)&&(m||/(class=\"
?Mso|style=\"[^\"]*\bmso\-|w:WordDocument)/.test(q))){var r=this
.loadFilterRules(function(){if(r)l.fire('paste',p);else if(!l.co
nfig.pasteFromWordPromptCleanup||m||confirm(l.lang.pastefromword
.confirmCleanup))p.html=a.cleanWord(q,l);});r&&o.cancel();}},thi
s);},loadFilterRules:function(l){var m=a.cleanWord;if(m)l();else
{var n=a.getUrl(i.pasteFromWordCleanupFile||this.path+'filter/de
fault.js');a.scriptLoader.load(n,l,null,false,true);}return!m;}}
);})();(function(){var l={exec:function(o){var p=e.tryThese(func
tion(){var q=window.clipboardData.getData('Text');if(!q)throw 0;
return q;},function(){window.netscape.security.PrivilegeManager.
enablePrivilege('UniversalXPConnect');var q=window.C
[O:SECURITY]
Thu, 07/08/2010 - 20:38
#1
Re: ckeditor.js 3.1 is being blocked by IPS's as malicious
I've filed http://dev.ckeditor.com/ticket/5951 to address this problem.
Re: ckeditor.js 3.1 is being blocked by IPS's as malicious
Thanks for the report.
Re: ckeditor.js 3.1 is being blocked by IPS's as malicious