Bug #19523
closed
Crossite scripting vulnerability in Core ext. felogin
0%
Description
The redirect_url parameter in felogin extension is not filtered by htmlspecialchars.
I have test this on a fresh installed Tzpo3 4.2.2 without anz third partz extensions.
Simple create a loginform and call the login page e.g with this url:
"login" is the alias of the login page
Note: In some cases the server configuration can prevent this isue.
(issue imported from #M9673)
Files
Updated by Dirk Hoffmann over 15 years ago
Correction:
PHP Version on Testsystem is 5.2
Updated by Marcus Krause over 15 years ago
This will be handled by TYPO3 Security Team from now on.
Marcus.
Updated by Dmitry Dulepov over 15 years ago
Logout is also vulnerable for the issue. I attach a different patch that solves the problem for both login and logout.
Updated by Marcus Krause over 15 years ago
Issue confirmed for 4.2.0, 4.2.1, 4.2.2
mentioned additional logout vulnerability confirmed for 4.2.2
Updated by Marcus Krause over 15 years ago
added patch that could be successfully applied to current rb42 revision (as 2nd hunk of Dmitry's patch will fail due to outdated working copy)
modifications are the same like in Dmitry's one
credits go to Dmitry! ;-)
Updated by
Updated by Steffen Kamper over 15 years ago
thanks from me too!
I integrated that in #9681, did a version for 4.2 and will declare this as cleaning up to CGL (which i did, missing spaces) and a forgotten HSC that can destroy HTML output.
Updated by Helmut Hummel about 7 years ago
- Project changed from 1716 to TYPO3 Core
- Description updated (diff)
- Category deleted (
Communication) - Target version deleted (
-1) - Is Regression set to No