CKEditor 4
Fri, 08/03/2007 - 01:25
#1
alexander
alexander's picture
Joined: 24/07/2007
Posts: 6

Hackers are simple, to get a cookie, i show you

Heey falks,

First pay your attention!

I'm not a hacker, i have read it in a documentation at phpFreakz!

http://www.phpfreakz.nl/artikelen.php?aid=114&page=2

What have i read:
A hacker can simple find a USER COOKIE with the fckeditor with the next code:

with a link tag <a href="javascript:alert(document.cookie)">Hi is this your cookie?</a>

And he have a cookie, it is maybe your cookie....

phpBB (this forum software) is secured, en you can't doe it!
example below, i have couple all doesn't work!

[url]javascript:alert(document.cookie)[/url]

[url]\'javascript:alert(document.cookie)\'[/url]

[img]\'javascript:alert(document.cookie)\'[/img]

[img]javascript:alert(document.cookie)[/img]

Alexander de Jong...

Security for all

Top
Fri, 08/03/2007 - 14:24
wiktor
wiktor's picture
Joined: 16/07/2007
Posts: 1641

Re: Hackers are simple, to get a cookie, i show you

Hi Alexander,

Generally, this is not a FCKeditor issue. FCKeditor is simply to help you in creating nice HTML code which otherwise you would have to create manually.
Because FCKeditor is running in client's browser, there is no way to secure your application in it. Even if FCKeditor wouldn't allow to add javascript after href, it's not a big deal for a hacker to create a script that would send evil code with all XSS hacks inside, straight into any of your scripts.

All validation should be performed on the server side, where your site is running (eg. in PHP).

Very nice XSS cheat sheet can be found at http://ha.ckers.org/xss.html. Please do not test all these hacks here ;)

Wiktor Walc
CTO, CKSource - http://cksource.com
--
Follow CKEditor on: Twitter | Facebook | Google+

Top
Fri, 08/03/2007 - 22:58
alexander
alexander's picture
Joined: 24/07/2007
Posts: 6

Re: Hackers are simple, to get a cookie, i show you

Alright, thanks for your message. And i know about the XSS and the site. And i know how to protect it into your php code.

I was hacked by a hacker called "Terror master" on my first website http://www.lexsoftware.nl (all in dutch, because i be dutch).

And yes its a very easy site to hack, its a downloaded cms (content managed system). And i have a plan to build a new one.

Greetzz.

And the fck editor is a nice editor. But it start slow up.

Top
Twitter Facebook Facebook Instagram Medium Linkedin GitHub Arrow down Phone Menu Close icon Check