Project

General

Profile

Actions
Copy link

Bug #19935

closed

XSS in the User Admin

Added by Dmitry Dulepov almost 16 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Dmitry Dulepov
Category:
-
Target version:
-
Start date:
2009-01-29
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.1
PHP Version:
4.3
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Try setting username to `something<script>alert('hi!')</script>` (without backticks) and navigate to the "User Admin". You'll get an alert. Seems like user name is not htmlspecialchar'ed and external script can be executed inside the TYPO3 BE. List module shows bad user name but User Admin is not.

(issue imported from #M10298)

Files

Download all files
10298.diff (552 Bytes) 10298.diff Administrator Admin, 2009-01-29 09:47
bug_10298_4-0.diff (4.81 KB) bug_10298_4-0.diff Administrator Admin, 2009-02-09 17:13
bug_10298_4-1.diff (4.91 KB) bug_10298_4-1.diff Administrator Admin, 2009-02-09 17:13
bug_10298_4-2.diff (5.45 KB) bug_10298_4-2.diff Administrator Admin, 2009-02-09 17:13
bug_10298_trunk.diff (5.53 KB) bug_10298_trunk.diff Administrator Admin, 2009-02-09 17:13
Actions
Copy link
 #1

Updated by Steffen Kamper almost 16 years ago

Hi,

you could commit this one with a cleaning patch adding spaces and CGL ?
I did same once with felogin.

Actions
Copy link
 #2

Updated by Michael Stucki almost 16 years ago

@Steffen: Don't know what you're referring to, but I assume it has low priority and can be done later.

Actions
Copy link
 #3

Updated by Michael Stucki almost 16 years ago

Attached is a new version for TYPO3 4.0, 4.1, 4.2 and Trunk (2009-02-09).

Actions
Copy link
 #4

Updated by Michael Stucki almost 16 years ago

Fixed in versions 4.0.12, 4.1.10, 4.2.6.

Actions
Copy link

Also available in: Atom PDF