Attackers could bypass content sanitization with malformed HTML
UPDATED Drupal, the widely used web content management system (CMS), has released security updates due to vulnerabilities in CKEditor, a third-party rich text editor bundled with Drupal.
Downloaded more than 30 million times, the open source WYSIWYG editor is used by Microsoft, Siemens, Volvo, Disney, Deloitte, and countless other organizations.
Drupal itself, which powers more than one million websites, has a huge install base.
“Both vulnerabilities were discovered in the core package of the CKEditor 4 and are affecting all earlier versions of the editor,” CKEditor 4 project leader Jacek Bogdański tells The Daily Swig.
Drupal says its users are vulnerable to the flaws if the CMS is configured to allow use of the CKEditor library for WYSIWYG editing.
“An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more [of the bugs] to target users with access to the WYSIWYG CKEditor, including site admins with privileged access,” reads a security advisory published by Drupal on November 17.
The threat level is such that the US Cybersecurity and Infrastructure Security Agency (CISA) saw fit to issue a warning about the importance of applying updates.
However, although the number of potentially vulnerable systems is significant, the attack “requires tricking a potential victim to copy and paste malicious HTML from the external source to the editor”, says Bogdański.
He also emphasizes that the vulnerability is only present when affected versions are used by the user, and is unrelated to content produced by CKEditor.
“Nevertheless, we recommend upgrading the editor as soon as possible,” he adds.
CKEditor, Drupal updates
Mindful of their responsibility given CKEditor’s use “by millions of users worldwide”, Bogdański says CKSource has “designed a completely new architecture in CKEditor 5 to reduce the chances of having XSS issues”, but in the meantime will strive “to keep CKEditor 4 secure at least until 2023”.
Users of Drupal 9.2 are advised to update to Drupal 9.2.9, users of Drupal 9.1 should update to Drupal 9.1.14, and users of Drupal 8.9 should update to Drupal 8.9.20.
The update represents the final security release for Drupal 8, which joins versions older than 9.1.x in having reached its end of life.
Users should upgrade to Drupal 8 “and, as quickly as possible, upgrade to Drupal 9”, Greg Knaddison, volunteer member of the Drupal security team and senior director of information systems at the Morris Animal Foundation, tells The Daily Swig. “It’s a very straightforward process due to the way we managed deprecation and backwards compatibility in this release cycle.”
Although Drupal 7 does not include the CKEditor module, continues Knaddison, it “can be affected if the site uses the CKEditor via a contributed module. The Security Team does not do advisories for modules where the site admin has to download library code (like CKEditor) as part of the installation,” he adds, citing a recent policy.
Both Knaddison and Bogdański thanked the researchers who uncovered the vulnerabilities. Knaddison also commended Bogdański for keeping the Drupal team “updated throughout the process with respect to timing and the hotfix so we could be well prepared”.
Bogdański praised the numerous security researchers who have disclosed vulnerabilities over the years, all of whom did so responsibly. “That’s the beauty of open source,” he says. “By letting everyone access your source code, one increases the chances of finding your weaknesses, but at the same time it makes your software better each time.”
This article was updated on November 19 with comments from Greg Knaddison of the Drupal security team, and on November 24 with comments from CKSource