- Issue created by @prudloff
- ๐บ๐ธUnited States markusa
We're seeing sites getting affected now.
Files appear in sites/default/files/js
$ find ./ -name "*wysiwyg_ckeditors*"
./sites/default/files/js/wysiwyg_ckeditors_uWMoMQ5qlhtyHc-FJlMT-azsAxhCeS89weKBiAtXujlM.js
/sites/default/files/js/wysiwyg_ckeditors_uWMoMQ7qlhtyf-cFJlMTazsAxhCeS88weKBiAtXujAQ.jsThese files contain list of links to phishing sites.
1 site fully compromised, and another looking like its happening.
Disable or remove Ckeditor from being used immediately.
- ๐ช๐จEcuador jwilson3
Is this issue mitigated by the fact that you must have access to the CKEditor (which is typically only limited to administrative users).
As a side note: Our staff reached out to CKSource team and were quoted a completely inaccessible and unrealistic price to purchase the LTE support for CKE4.
Organizations on a legacy Drupal project that do NOT have money to upgrade to Drupal 9 also do NOT have $10k per year per project to keep exploits out of their website. So in the end, we're recommending they disable CKEditor until they're able to migrate off. This is a really unfortunate circumstance.
- ๐บ๐ธUnited States nate covington
I'm reading here:
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v...It looks like this vulnerability only applies if you have "Full Page Editing" enabled? Or the Advanced Configuration re: CDATA? Can someone double check my math, etc? It seems like for most private D7 sites, where you only have a few admins, the general public never touches ckeditor... this doesn't apply?
- ๐บ๐ธUnited States Fred Herman
Is there another module that provides the same functionality as Creditor for Drupal7? I am not using composer, just have been downloading new modules as required.
- ๐บ๐ธUnited States nate covington
I'm looking at the security details here:
https://security.snyk.io/package/npm/ckeditor4/4.14.0It looks like the issue is in this file specifically:
/core/htmlparser.jsOn my D7 site, using ckeditor 7.x-1.22, I renamed the file like this, to disable it:
/sites/all/libraries/ckeditor/_source/core/htmlparser-suspect.jsThen I went back into the site and was able to edit / save / etc.
There was a reference to this file too:
/public_html/sites/all/libraries/ckeditor/_samples/ajax.htmlI renamed it like this to be safe:
/public_html/sites/all/libraries/ckeditor/_samples/ajax-disable.htmlIn a few weeks I plan on removing these files altogether because they don't seem to be mission critical ^
Thanks,
-Nate - ๐บ๐ธUnited States sikofitt
It looks like there are no alternatives. https://www.drupal.org/project/wysiwyg โ is minimally maintained supporting Ckeditor4 and TinyMCE4 which are both out of support. I'm not even sure using a company for LTS or D7Security is an option since Ckeditor4 LTS is a paid solution.
- ๐บ๐ธUnited States seanr
Per that same CVE report:
The fix will be available in version 4.24.0-lts
Would it not be possible to pull that release into this module? I've got a situation where upgrading to Ckeditor5 causes breakage. I'd obviously like to get it upgraded and that issue resolved, but finding the time...
- ๐บ๐ธUnited States nate covington
Would it not be possible to pull that release into this module? I've got a situation where upgrading to Ckeditor5 causes breakage on a D10 upgrade. I'd obviously like to get it upgraded and that issue resolved, but finding the time...
I think the issue is the 4.24.x-LTS is the "commercial" flavor of the plugin. So yes, you can use this. But most of us are sitting here scratching our heads over the "suddenly commercial" license and looking for alternatives.
- ๐บ๐ธUnited States Fred Herman
I'm willing to denote some $$ if someone can create a non-commercial equivalent to Creditor, preferably with a simple module without the complicated plugin organization.
- ๐บ๐ธUnited States sikofitt
There is also this module https://www.drupal.org/project/ckeditor_lts โ . Although you still need to pay CKeditor money for the long term support.
- ๐บ๐ธUnited States seanr
Ah, got it. I ended up migrating my sites to CK5, so it's kinda moot, but it's a PITA since the config isn't 1-to-1. :(
- ๐บ๐ธUnited States nate covington
You mean this?
https://www.drupal.org/project/ckeditor5 โIt says it's not supported. You mean you updated the Drupal 7 sites to Drupal 9/10?