Bug #16647
closed
Possible Scripting vulnerability
Added by Michel Boivin about 18 years ago.
Updated over 15 years ago.
Description
Using the 'Toggle HTML source' button in the RTE (either in frontend or in the backend) allows a user to modify tags created by the RTE so that a script gets run simply by viewing the element (either in the RTE or outside it).
As an example: Modifying following string
<p>Test</p>
into this one:
<p onmouseover="alert('Script was run');">Test</p>
will activate the script and display the alert as soon as mouve hovers the enclosed paragraph. The script gets run in FE and BE mode, inside the RTE (when not in HTML source mode) and outside the RTE when displaying the generated content.
This could present a security threat, since any FE plugin using the RTE with this feature enabled could allow a FE user to input a script that would be run as soon as a BE user edits the saved content in the backend. Since the script could be run in the BE, it could possibly redirect the BE user to a URL that would run an unwanted action on the Typo3 system.
I strongly believe that this is a security issue and that it should be resolved quickly. This would however be my first security report, so I might have forgot to include some info. Just contact me (angrysoul@videotron.ca) for further info.
Tested on rteHTMLArea 1.3.7 on Typo3 v4.0.0
(issue imported from #M4397)
Thanks, the security team will immediately look at this.
Didn't check this one out, but I presume that input validation is the same when the 'Show HTML source' button is available and when it is not.
Is this assumption is right, it means that crafting an HTML form would allow a user to send a malicious tag running a script without using the 'show HTML source' button.
Just entering bad code does not mean security risk if validation code on the server removes such code.
Generally editors product valid xhtml, so it is easy to remove offending things using xml_parse with callback. I did that once with tinymce (left only p, br, b, i, u, a and img tags).
Can you still reproduce this in the most recent version?
I tried this, in my environment onmouseXXX disappears on save.
Dmitry said: I tried this, in my environment onmouseXXX disappears on save.
I tried it as well, and the same behavior was observed.
Nice job!
So, can I close this issue?
I suppose the RTE transformation could be configured to keep the onmouseXXX attribute, but is this really to be considered a security issue?
This IS a security threat because it enables privilege escalation.
So, you mean that any onXXX attribute should be removed before the content is sent to be saved? And that it should not be configurable?
So what is the verdict on this issue?
Stanislas
Any objections against closing this one?
If the TYPO3 Security Team has no objection, I would close it.
Reopen to change status to public and close it afterwards.
Marcus (TYPO3 Security Team)
Unable to reproduce with current versions.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by