Bug #19523

Crossite scripting vulnerability in Core ext. felogin

Added by Dirk Hoffmann about 11 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
-
Target version:
-
Start date:
2008-10-29
Due date:
% Done:

0%

TYPO3 Version:
4.2
PHP Version:
4.3
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

The redirect_url parameter in felogin extension is not filtered by htmlspecialchars.

I have test this on a fresh installed Tzpo3 4.2.2 without anz third partz extensions.
Simple create a loginform and call the login page e.g with this url:

http://www.somedomain.tld/index.php?id=login&redirect_url=%22%3e%3cSCRIPT%3ealert('Paros')%3c/SCRIPT%3e%3cspan%20%22

"login" is the alias of the login page

Note: In some cases the server configuration can prevent this isue.
(issue imported from #M9673)

felogin.patch View (622 Bytes) Administrator Admin, 2008-10-29 17:22

9673.diff View (1.19 KB) Administrator Admin, 2008-10-30 09:24

0009673_rev4386.diff View (1.24 KB) Administrator Admin, 2008-10-30 16:35

History

#1 Updated by Dirk Hoffmann about 11 years ago

Correction:
PHP Version on Testsystem is 5.2

#2 Updated by Dirk Hoffmann about 11 years ago

Thanks to Matthias Humbert to.

#3 Updated by Marcus Krause about 11 years ago

This will be handled by TYPO3 Security Team from now on.

Marcus.

#4 Updated by Dmitry Dulepov about 11 years ago

Logout is also vulnerable for the issue. I attach a different patch that solves the problem for both login and logout.

#5 Updated by Marcus Krause about 11 years ago

Thanks Dmitry!

#6 Updated by Marcus Krause about 11 years ago

Issue confirmed for 4.2.0, 4.2.1, 4.2.2

mentioned additional logout vulnerability confirmed for 4.2.2

#7 Updated by Marcus Krause about 11 years ago

added patch that could be successfully applied to current rb42 revision (as 2nd hunk of Dmitry's patch will fail due to outdated working copy)
modifications are the same like in Dmitry's one

credits go to Dmitry! ;-)

#8 Updated by Ingo Renner about 11 years ago

thanks Dmitry!

#9 Updated by Steffen Kamper about 11 years ago

thanks from me too!

I integrated that in #9681, did a version for 4.2 and will declare this as cleaning up to CGL (which i did, missing spaces) and a forgotten HSC that can destroy HTML output.

#10 Updated by Ingo Renner about 11 years ago

fixed through patch for issue #9681

#11 Updated by Helmut Hummel almost 3 years ago

  • Project changed from Core Security to TYPO3 Core
  • Description updated (diff)
  • Category deleted (Communication)
  • Target version deleted (-1)
  • Is Regression set to No

Also available in: Atom PDF