Friday, July 25, 2008

Script Exploit Via FCKEditor

At work, I use BugTracker.NET to post bug reports and do stuff. It's not my favorite bug tracking software, but since they already had it set up for us, we decided to just play along.

BugTracker.NET supports rich text via the FCKEditor control and while it is quite nifty, it lets you go into 'source code' mode by pressing Ctrl-Tab (which, by coincidence, is the same shortcut I use to switch between tabs in Firefox and most other browsers). I then typed in a JavaScript to redirect the browser to (just a randomly selected website) and now that bug report is pretty much inaccessible to anyone with a browser that runs Javascript.

I know, I know, FCKEditor is just a control for WYSIWYG HTML editing so you can't really blame it for the fault of the system using it - BugTracker.NET should've removed the script while saving it.


Corey said...

You're right!

- Corey Trager, author of BugTracker.NET

Nitin Reddy Katkam said...

Hi Corey!

It's a pleasant surprise to find your comment on my blog post.

Just in case you're working on a patch for BugTracker.NET, I think the ability to insert scripts can be controlled with a setting because sometimes they can be quite useful - they can pop up a window associated with the bug, for example.

While browsing the issue tracker on for BugTracker.NET,
I also came across another 'bug' that I'd rather have than see fixed, which is "*go to bug* goes to *add new bug* when id = 0". It's a nifty little feature that just adds to the usability of the site. I mean who would type in ID 0?