Bug #19935: XSS in the User Admin - TYPO3 Core - TYPO3 Forge

Actions

Copy link

Bug #19935

closed

XSS in the User Admin

Added by Dmitry Dulepov almost 16 years ago. Updated over 14 years ago.

Status:

Closed

Priority:

Should have

Assignee:

Dmitry Dulepov

Category:

Target version:

Start date:

2009-01-29

Due date:

% Done:

Estimated time:

TYPO3 Version:

4.1

PHP Version:

4.3

Tags:

Complexity:

Is Regression:

Sprint Focus:

Description

Try setting username to `something<script>alert('hi!')</script>` (without backticks) and navigate to the "User Admin". You'll get an alert. Seems like user name is not htmlspecialchar'ed and external script can be executed inside the TYPO3 BE. List module shows bad user name but User Admin is not.

(issue imported from #M10298)

Files

Download all files

10298.diff (552 Bytes) 10298.diff		Administrator Admin, 2009-01-29 09:47
bug_10298_4-0.diff (4.81 KB) bug_10298_4-0.diff		Administrator Admin, 2009-02-09 17:13
bug_10298_4-1.diff (4.91 KB) bug_10298_4-1.diff		Administrator Admin, 2009-02-09 17:13
bug_10298_4-2.diff (5.45 KB) bug_10298_4-2.diff		Administrator Admin, 2009-02-09 17:13
bug_10298_trunk.diff (5.53 KB) bug_10298_trunk.diff		Administrator Admin, 2009-02-09 17:13

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

TYPO3 Core

Custom queries

Bug #19935

XSS in the User Admin

Updated by Steffen Kamper almost 16 years ago

Updated by Michael Stucki almost 16 years ago

Updated by Michael Stucki almost 16 years ago

Updated by Michael Stucki almost 16 years ago