TYPO3 Core

This problem exists when you update Frontend User profile and when you use extention mm_forum administration in the backend

I also checked with IE7 - same Problem because not IE is the reason for the reaction of sysmantec Client firewall.
The reason is Symantec Client firewall detects the attack by itself and then blocks.

As this is the TYPO3 bugtracker, what would be a solution/suggestion in your opinion?

In my opinion there is something wrong in the php-scripts of the backend so the firewall detect this as an intrusion attack when the packets will be transfered from Client to the webserver and also in the other way. So I think this must be a special combination of printable or not printable characters.

next is the intrusion message of the firewall

Attempted Intrusion "HTTP MS IE Object Element Data DoS" against your machine was detected and blocked.
Intruder: localhost(http(80)).
Risk Level: Medium.
Protocol: TCP.
Attacked IP: localhost.
Attacked Port: 1711.

you see this problem exists also when I use to the localhost. And this problem could be a security hole when symantec defines this as

HTTP MS IE Object Element Data DoS intrusion

Symantec defines this like you see in my first message. I think this is a problem for many users using typo3 al over the world because symantec is one of the biggest provider for client firewalls.

I think this should be corrected by changing typo3 code.

This Symantec filter was probably introduced due to a IE6 vulnerability back in 2004 (at least Symantec lists it as reference for this error message).
Error-Description: http://www.symantec.com/avcenter/attack_sigs/s21422.html
Vulnerability: http://www.securityfocus.com/bid/10167/info

"A denial of service vulnerability has been reported in Microsoft Internet Explorer. This condition may occur when a malicious web page specifies an Object element with a data property that has a value of "?" or "#" in addition to specifying a type property that refers to an image type. The vulnerability will reportedly cause the browser to crash."

Wolgang, could you log your traffic and provide a http/tcp capture log of this exactely moment when Symantec fires up this message.

I have captured the traffic with wireshark. Enclosed you will find the capture file. Following actions where be done in this few seconds:

1. Open one record of an Frontend-user
2. No change
3. save the record with the button "save and close"

I hope this capture file will help you. The symantec client firewall found 20 attacks and then blocked.

Best regards
Wolfgang

One quick advice: You should immediately change the password of FE-User Agatha because the according password is within the provided capture.

Unfortunately there's no POST-request within the capture. I would at least expect one such request.

password is changed. Today I will try to do 2 another capture one on client side and one on server side (testserver). But it will take a little bit time to activate this testserver.

Best regards
Wolfgang

Srry I'm a little bit late, but I had no connection to internet.

Now there are 3 captures. One capture (test with internet) I tested again the connection to www.megatreff.at with another system. Same troubles when try to start edit of Frontend-user or finish with save & close.

The other 2 captures are done when the firewall is switched of between testserver and client

There is one more question:
Why do you lock for a POST message. There are many GET messages. Is'nt it possible that one GET messages are the reason the firewall blocks?

Best regards
Wolfgang

Why do you lock for a POST message.

You said ealier:

This problem exists when you update Frontend User profile

That's why I think your firewall blocks this specific POST request!

please apologize my inaccurate description. The messages from the firewall start when I open the editform for the frontenduser.

Best regards
Wolfgang

This case is open. Please tell me who will have a look on this case. I think it should be interesting for the typo3 developer group, if symantec client firewall actual version have problems with parts of the typo3 backend.
I am sure this affects many users all over the world.

Best regards
wolfgang

I think Symantec should be notified. Symantec is the only one who gives false alarams. Why would TYPO3 fix it for Symantec? Fail ticket to them.

You are right, but symantec was informed and I were told, Symantec Client firewall does'nt have a bug. The messages between client and server will be identified to be a potential risk. So the Symantec client firewall is working correct.

Best regards
Wolfgang

I discussed this issue with Ingo (Renner) about two months ago. We decided that we won't take any steps to solve this "issue". It's obvious kind of a false positive by Symantec which tries to prevent exploits of a quite old vulnerability (2004) in IE6.
In between, it's all water under the bridge and your IE6 should either be patched or even IE7 is installed.
It's up to Symantec to fix this but probably they don't care either.

This isn't considered to be a TYPO3 problem!