Bug #16647
closed
Possible Scripting vulnerability
0%
Description
Using the 'Toggle HTML source' button in the RTE (either in frontend or in the backend) allows a user to modify tags created by the RTE so that a script gets run simply by viewing the element (either in the RTE or outside it).
As an example: Modifying following string
<p>Test</p>
into this one:
<p onmouseover="alert('Script was run');">Test</p>
will activate the script and display the alert as soon as mouve hovers the enclosed paragraph. The script gets run in FE and BE mode, inside the RTE (when not in HTML source mode) and outside the RTE when displaying the generated content.
This could present a security threat, since any FE plugin using the RTE with this feature enabled could allow a FE user to input a script that would be run as soon as a BE user edits the saved content in the backend. Since the script could be run in the BE, it could possibly redirect the BE user to a URL that would run an unwanted action on the Typo3 system.
I strongly believe that this is a security issue and that it should be resolved quickly. This would however be my first security report, so I might have forgot to include some info. Just contact me (angrysoul@videotron.ca) for further info.
Tested on rteHTMLArea 1.3.7 on Typo3 v4.0.0
(issue imported from #M4397)
Updated by Michael Stucki about 18 years ago
Thanks, the security team will immediately look at this.
Updated by Michel Boivin about 18 years ago
Didn't check this one out, but I presume that input validation is the same when the 'Show HTML source' button is available and when it is not.
Is this assumption is right, it means that crafting an HTML form would allow a user to send a malicious tag running a script without using the 'show HTML source' button.
Updated by Dmitry Dulepov about 18 years ago
Just entering bad code does not mean security risk if validation code on the server removes such code.
Generally editors product valid xhtml, so it is easy to remove offending things using xml_parse with callback. I did that once with tinymce (left only p, br, b, i, u, a and img tags).
Updated by Michael Stucki almost 18 years ago
Can you still reproduce this in the most recent version?
Updated by Dmitry Dulepov almost 18 years ago
I tried this, in my environment onmouseXXX disappears on save.
Updated by Michel Boivin almost 18 years ago
Dmitry said: I tried this, in my environment onmouseXXX disappears on save.
I tried it as well, and the same behavior was observed.
Nice job!
Updated by Stanislas Rolland almost 17 years ago
I suppose the RTE transformation could be configured to keep the onmouseXXX attribute, but is this really to be considered a security issue?
Updated by Thorsten Kahler almost 17 years ago
This IS a security threat because it enables privilege escalation.
Updated by Stanislas Rolland almost 17 years ago
So, you mean that any onXXX attribute should be removed before the content is sent to be saved? And that it should not be configurable?
Updated by Stanislas Rolland almost 17 years ago
So what is the verdict on this issue?
Stanislas
Updated by Marcus Krause about 16 years ago
Any objections against closing this one?
Updated by Stanislas Rolland about 16 years ago
If the TYPO3 Security Team has no objection, I would close it.
Updated by Marcus Krause over 15 years ago
Reopen to change status to public and close it afterwards.
Marcus (TYPO3 Security Team)
Updated by Marcus Krause over 15 years ago
Unable to reproduce with current versions.