Bug #24140
closed
Cross-Site Scripting in showpic functionality
0%
Description
With #22990 (applied on 2010-08-31 to 4-3, 4-4 & trunk) a new parameter "contentHash" has been added that prevents XSS warning in IE.
This feature allows to store the to be displayed content for showpic in a cache table and such no longer depends on receiving the whole HTML via HTTP GET parameter.
When using the cache framework, contentHash represents a cacheIdentifier. When manipulated by a user, contentHash and such cacheIdentifier does not necessarily has the structure, the caching framework expects for entry identifiers. Then an exception is thrown in t3lib_cache_frontend_AbstractFrontend::has().
If contentHash contains JS code, this is displayed as are.
vulnerable:
TYPO3 4.3.5+
TYPO3 4.4.3+
TYPO3 4.5alpha1+
with Caching framework enabled
Reporter: Andreas Weber
OTRS: 2010111910000013
(issue imported from #M16485)
Files
Updated by Karsten Dambekalns over 13 years ago
I have been pointed here by Christian Kuhn. He suggested removing the entry identifier, but that would mean removing the most important information for debugging.
The exception should be output only in development context anyway (admittedly I don't know how that is currently handled in 4.x) and otherwise be logged. I see this on the same level as PHP error messages - never display them unless in a development context.
Updated by Oliver Hader over 13 years ago
Find attached the accordant patches that revert the changes of issue #22990 and use a chunked base64 to pass the data.
Updated by 
Updated by </script>&md5=fd6d13dd2bd408c2a4dfd2674573922d&height=600&width=800m&file=uploads/pics/image.jpg&eID=tx_cms_showpic){kind=link}