Project

General

Profile

Actions
Copy link

Bug #61277

closed

Major security issue - f:form viewhelper serializes the whole objects when used with $this->forward

Added by Dimitri Lavrenük over 9 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
-
Target version:
-
Start date:
2014-08-29
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
6.2
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

This issue has been reported in a different context here:
https://forge.typo3.org/issues/57633

After digging a bit i found a huge security issue with this bug. You can get access to all properties of the object and all linked objects.
Typo3 Version: 6.2.3

how to reproduce:

We need any Model
Actions:
Edit action
Save action

Edit ection -> Save action -> forward to Edit action with the model object as argument

After the save action the form generates a [__referrer][arguments] hidden field with the whole object hashed as base64.

typo3 6.2/sysext/fluid/Classes/ViewHelpers/FormViewHelper.php line 229

The hash is not only huge (2mb in my case) but also contains ALL the data forwarded. The hash can be unserialized via base64decode and you can see all model properties of the object and ALL linked objects. If used with an object linked to a fe_user record you can access ALL the data from the user record (inluding hashed password and other security related data).

public function editAction (/Dl/Test/Domain/Model/Object $object = null) {
    $this->view->assign('object', $object);
}

public function saveAction (/Dl/Test/Domain/Model/Object $object) {
    $this->forward('edit', null, null, array('object' => $object));
}

Related issues 1 (0 open1 closed)

Is duplicate of TYPO3 Core - Bug #57633: FormViewHelper adds complete serialized objects to [__referrer][arguments] when forward is usedRejected2014-04-04

Actions
Actions
Copy link

Also available in: Atom PDF