Project

General

Profile

Actions
Copy link

Bug #23555

closed

FORM content object is susceptible to XSS

Added by Helmut Hummel about 14 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Must have
Assignee:
Benni Mack
Category:
-
Target version:
-
Start date:
2010-09-17
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.5
PHP Version:
5.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

An editor can enter arbitrary JavaScript into a FORM content element, which gets executed in the frontend.

Exploit code below

(issue imported from #M15735)

Files

Download all files
15735_trunk.patch (558 Bytes) 15735_trunk.patch Administrator Admin, 2010-12-02 20:29
15735_44.patch (500 Bytes) 15735_44.patch Administrator Admin, 2010-12-02 20:29
15735_43.patch (500 Bytes) 15735_43.patch Administrator Admin, 2010-12-02 20:29
15735_42.patch (500 Bytes) 15735_42.patch Administrator Admin, 2010-12-02 20:29
15735_v2_trunk.patch (903 Bytes) 15735_v2_trunk.patch Administrator Admin, 2010-12-09 19:52
15735_v2_44.patch (844 Bytes) 15735_v2_44.patch Administrator Admin, 2010-12-09 19:52
15735_v2_43.patch (844 Bytes) 15735_v2_43.patch Administrator Admin, 2010-12-09 19:52
15735_v2_42.patch (844 Bytes) 15735_v2_42.patch Administrator Admin, 2010-12-09 19:52
15735_42_v3.patch (779 Bytes) 15735_42_v3.patch Administrator Admin, 2010-12-09 20:42
15735_43_v3.patch (779 Bytes) 15735_43_v3.patch Administrator Admin, 2010-12-09 20:42
15735_44_v3.patch (779 Bytes) 15735_44_v3.patch Administrator Admin, 2010-12-09 20:42
15735_45_v3.patch (851 Bytes) 15735_45_v3.patch Administrator Admin, 2010-12-09 20:42
Actions
Copy link
 #1

Updated by Helmut Hummel about 14 years ago

Exploit Code:

Put this in the content element FORM:

Name: | *name=input,40 | Enter your name here
Email: | *email=input,40

| formtype_mail=submit | Send form!
| html_enabled=hidden | 1
| subject=hidden | This is the subject
| fooar" /><script>alert(123)</script><input type="hidden" name="bazbaz=hidden  | This is baz
Actions
Copy link
 #2

Updated by Benni Mack almost 14 years ago

The problem relies in the fact that the fieldname doesn't get HSCed.

Actions
Copy link
 #3

Updated by Benni Mack about 6 years ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF