FCKeditor spellchecker.php cross site scripting vulnerability
Description
FCKeditor version 2.6.7 and earlier contains a cross-site scripting (XSS) vulnerability in the spellchecker.php file. The print_textinputs_var function fails to properly sanitize user input from textinputs array parameters, allowing attackers to inject malicious JavaScript or HTML code. This vulnerability can be exploited remotely without authentication, making it a significant security risk for applications using affected versions.
Remediation
Take the following steps to remediate this vulnerability:
1. Immediate Action: Upgrade FCKeditor to version 2.6.8 or later, which addresses this vulnerability. Note that FCKeditor has been discontinued and replaced by CKEditor.
2. Recommended Migration: Migrate from FCKeditor to CKEditor 4.x or CKEditor 5.x, as FCKeditor is no longer maintained and may contain additional unpatched vulnerabilities.
3. Temporary Mitigation: If immediate upgrade is not possible, implement input validation and output encoding for all user-supplied data processed by spellchecker.php. Apply Content Security Policy (CSP) headers to restrict script execution.
4. Verification: After upgrading, test the spellchecker functionality and scan for any remaining XSS vulnerabilities using automated security testing tools.
5. Long-term: Implement a regular patch management process to ensure all third-party components remain up-to-date.