Project

General

Profile

Actions

Bug #24140

closed

Cross-Site Scripting in showpic functionality

Added by Marcus Krause about 14 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
Communication
Target version:
-
Start date:
2010-11-19
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

With #22990 (applied on 2010-08-31 to 4-3, 4-4 & trunk) a new parameter "contentHash" has been added that prevents XSS warning in IE.
This feature allows to store the to be displayed content for showpic in a cache table and such no longer depends on receiving the whole HTML via HTTP GET parameter.

When using the cache framework, contentHash represents a cacheIdentifier. When manipulated by a user, contentHash and such cacheIdentifier does not necessarily has the structure, the caching framework expects for entry identifiers. Then an exception is thrown in t3lib_cache_frontend_AbstractFrontend::has().

If contentHash contains JS code, this is displayed as are.

vulnerable:
TYPO3 4.3.5+
TYPO3 4.4.3+
TYPO3 4.5alpha1+
with Caching framework enabled

Reporter: Andreas Weber
OTRS: 2010111910000013
(issue imported from #M16485)


Files

16485.patch (671 Bytes) 16485.patch Administrator Admin, 2010-11-20 19:45
16485_43_v2.patch (7.58 KB) 16485_43_v2.patch Administrator Admin, 2010-12-10 00:33
16485_44_v2.patch (8.19 KB) 16485_44_v2.patch Administrator Admin, 2010-12-10 00:33
16485_45_v2.patch (8.15 KB) 16485_45_v2.patch Administrator Admin, 2010-12-10 00:33

Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Bug #22990: imageLinkWrap.JSwindow triggers XSS warning or FailsClosedSusanne Moog2010-06-24

Actions
Related to TYPO3 Core - Bug #24453: showpic.php causes a fatal error if parameters GET variable is not an arrayClosedSteffen Ritter2011-01-02

Actions
Actions

Also available in: Atom PDF