Copy link to clipboard
Copied
Due to a bug in either FF 17.0 or ckeditor a dangerous, I dare say vulnerability, is made available to users using FF 17.0. The behavior is described here:
https://support.mozilla.org/en-US/questions/942438?page=2
A workaround is available, but I didn't pursue, which requires editing of some portion of fckeditor browser checking. My workaround was to force users to update to a version of Firefox other than 17.0. I preferably directed them to the Extended Support Release version using javascript since we are an enterprise environment.
I plan to pursue update to CKEditor, meanwhile what options do I have to verify that for any update to a web browser I'm not exposing my edit enabled pages to source code changes?
Copy link to clipboard
Copied
I jumped the gun when first reporting what my workaround was. The application of update to 17.0.1 does work, however my javascript user agent sniffing method fails. The reason it fails is because unlike other Firefox version updates the user agent doesn't reflect actual version number which is strange.
My Firefox 17.0.1 user agent shows as:
Mozilla/5.0 (Windows NT 6.0; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0
I expected the user agent to look like this without question:
Mozilla/5.0 (Windows NT 6.0; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0.1
I also don't know at this time if the 17.0.1 ESR exhibits the same behavior. I don't at the moment have a machine at my disposal to test with and there is not yet a portable version of the 17.x ESR to make testing easier.
If anyone knows of a way to block specifically FF 17.0 please let me know. At the moment the only solution I can think of is replacement of FCKeditor with CKEditor, but that will take a bit of doing to convert since its not a drop in replacement.
Copy link to clipboard
Copied
I believe this is the mozilla bug reported that addressed the problem experienced in 17.0: https://bugzilla.mozilla.org/show_bug.cgi?id=792054 I'm not sure what the cause of the incorrect UA is.
Copy link to clipboard
Copied
I decided to take a close look at differences within the user agent string so that successful prevention of users posting with Firefox 17.0 can be conducted from the server.
Here is a comparison of Firefox 17.0 and 17.0.1 user agent string.
Armed with that knowledge, parsing the UA string within Coldfusion and forcing users to update prior to allowing the editor to load should provide some means of protection against FCKEditor allowing HTML and Javascript editing to just anyone.
I ended up using this to parse the UA string and take action:
if(ReFind("Gecko/17\.0.*Firefox/17\.0$",CGI.HTTP_USER_AGENT))
{
WriteOutput('
<script language="JavaScript">
alert("Due to a bug in version 17.0 of Firefox this version is restricted from access to FCKEditor. Please update to version 10.0.11 Extended Support Release or 17.0.1 or later. If you need assistance with this please contact <Your IT Phone Number> or email <Your IT helpdesk number> and request an update to your Firefox browser.");
window.location.replace("http://www.mozilla.org/en-US/firefox/organizations/all.html?lang-search=English&x=0&y=0");
</script>'
);
}
Message was edited by: D@yzW0rk Added script to take corrective action. Meant for use with Extended Support Release environments. Note the URL leads to the 10.x ESR not the next 17.x release branch.