BUG_Author: s0l42

Affected Version: ueditor 1.4.3.2

Vendor: ueditor GitHub Repository

Software: ueditor

Vulnerability Files:

• php/controller.php

Description:

Jsonp Injection:

• In the file php/controller.php, the code in the end of the file echo $_GET["callback"] . '(' . $result . ')';do not check the parameter callback users input, which causes a jsonp injection.
• For example, when callback is alert(1);, the response is alert(1);(result), alert(1) will be executed

Analysis

We analyse the code, which do not have any check but echo user input from callback

if (isset($_GET["callback"])) {
    echo $_GET["callback"] . '(' . $result . ')';
} else {
    echo $result;
}