Bug #30095

Arbitrary TypoScript execution on system extension form

Added by Oliver Hader almost 8 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
-
Target version:
Start date:
2011-09-20
Due date:
% Done:

100%

TYPO3 Version:
4.6
PHP Version:
5.3
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The new system extension form can be used to render custom FORM elements as well as regular cObjects like TEXT or COA.
Since the form wizard can be used by any editor in the backend and writes data to the field bodytext, this can also be used to execute arbitrary TypoScript without further access checks.

This change introduces two defined and allowed content elements "header" and "textblock" that can be defined by using the form wizard. If the TypoScript that was generated by the mentioned wizard is rendered, regular cObjects are disabled. If the FORM or FORM_INT cObject is used directly from a TypoScript template, all possible cObjects can still be used.

Content Elements header and text block

form_wizard.png View - Content Elements "header" and "text block" (33.3 KB) Oliver Hader, 2011-09-20 17:50

Associated revisions

Revision 7005e5e7 (diff)
Added by Oliver Hader almost 8 years ago

[BUGFIX][SECURITY] Arbitrary TypoScript execution on system extension form

The new system extension form can be used to render custom FORM elements as
well as regular cObjects like TEXT or COA. Since the form wizard can be used
by any editor in the backend and writes data to the field bodytext, this can
also be used to execute arbitrary TypoScript without further access checks.

This change introduces two defined and allowed content elements "header" and
"textblock" that can be defined by using the form wizard. If the TypoScript
that was generated by the mentioned wizard is rendered, regular cObjects are
disabled. If the FORM or FORM_INT cObject is used directly from a TypoScript
template, all possible cObjects can still be used.

Change-Id: I573764de7583b078456e71e95ea7903b433c29db
Resolves: #30095
Releases: 4.6
Reviewed-on: http://review.typo3.org/5128
Reviewed-by: Andreas Wolf
Reviewed-by: Frederic Gaus
Tested-by: Frederic Gaus
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

History

#1 Updated by Oliver Hader almost 8 years ago

#2 Updated by Mr. Hudson almost 8 years ago

Patch set 1 of change I573764de7583b078456e71e95ea7903b433c29db has been pushed to the review server.
It is available at http://review.typo3.org/5128

#3 Updated by Oliver Hader almost 8 years ago

  • Status changed from New to Under Review

#4 Updated by Mr. Hudson almost 8 years ago

Patch set 2 of change I573764de7583b078456e71e95ea7903b433c29db has been pushed to the review server.
It is available at http://review.typo3.org/5128

#5 Updated by Oliver Hader almost 8 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#6 Updated by Riccardo De Contardi almost 2 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF