CKEditor not working in content store or blog editing

Description

I tested this with v.3.0.0+00568.

CKEditor is not working in content store or blog editing. The toolbar never comes up and there is a JS error:

Error: SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSON data
Source File: http://site.localhost/modules/contentbox-admin/includes/js/contentbox-pre.js
Line: 4

I tested this in FireFox and Chrome on Windows 7.

This is an issue with the ACF where "Prefix serialized JSON with" is enabled and set to "//", which is a recommendation from the lockdown guide and is a valid configuration.

The solution should be to do a replaceNoCase for both "//{" and "//[" at the start of the JSON string. If that ACF setting is enabled, that will normalize the JSON.

Activity

Show:
Brad Wood
August 2, 2016, 2:03 AM

Like I commented in the other ticket, this has been an issue in CommandBox for years and there's no good workaround. This ticket was put in years ago for Adobe to give us a workaround and they closed it as "not enough time"
https://cfbugs.adobe.com/index.cfm?event=bug&id=3040329

Daniel Garcia
August 2, 2016, 3:27 AM

I agree it is a pain, but for the people using Adobe CF with that enabled, they are going to have issues. Having them turn the setting off is the quick solution, but if they are trying to harden their server, its not as good. I don't know how many people this will affect. If you do the replaceNoCase and there is nothing to replace, things will still work. Its just too bad having to do extra processing when not neeed for Lucee or ACF servers that don't have this enabled.

Luis Majano
August 2, 2016, 3:33 PM

Personally, I think this setting does nothing to prevent execution. You can always clean up the response and inject and manipulate it. Plus, it can be ANYTHING, so I would have to create a setting to control its cleanup. I can't justify this ticket at this moment.

Brad Wood
August 2, 2016, 4:48 PM

FWIW, here's a good write up of how the exploit actually works. This blog is from 2008 and notes that all modern browsers are no longer susceptible to the exploit. I think FireFox 2 or IE 5 was the latest version of browsers it supposedly worked on.
http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx/

If you don't want to turn it off for the entire server, you could at least disable it for the ContentBox site with the Application.cfc setting.

Daniel Garcia
August 2, 2016, 5:04 PM

I forgot about that application.cfc setting. I think that is a good workaround for this issue.

Won't Do

Assignee

Luis Majano

Reporter

Daniel Garcia

Labels

None

Components

Affects versions

Priority

Major