Project

General

Profile

Actions

Bug #33272

closed

Persistent XSS in HTML content element through t3editor

Added by Sara no-lastname-given almost 13 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
-
Target version:
-
Start date:
2012-01-17
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.6
PHP Version:
5.3
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The t3editor of the HTML content element is susceptible to XSS, as output is not escaped. This can lead to privilege escalation in the Backend.

By disabling the t3editor, you can enter code like this

</textarea><script>alert(1)</script>

Opening with t3editor enabled will then execute the JS.

Original report:

</textarea> triggers end of html content element in backend

Surely the html CE should be self-contained? Is there any way of turning this 'feature' off?

Also reported by Michael B. in #33252


Related issues 1 (0 open1 closed)

Is duplicate of TYPO3 Core - Bug #33651: closing textarea tag on html element in backend closes the textarea itself.Closed2012-02-03

Actions
Actions #1

Updated by Markus Klein almost 13 years ago

Hi Sara,

I'm sorry, but I've absolutely no clue what this issue is about.
Please consider describing your problem more precisely.

Thank you.

Actions #2

Updated by Steffen Gebert almost 13 years ago

  • Project changed from TYPO3 Core to 1716
Actions #3

Updated by Steffen Gebert almost 13 years ago

  • Subject changed from </textarea> triggers end of html content element in backend to XSS in HTML content element through t3editor
  • Category set to OW-A07: Cross Site Scripting

It might be a problem on my side, but disabling the t3editor did not work for me. Is this feature defect?
If it's defect, either manually insert it into database or insert it in a 4.5 installation and then upgrade to 4.6+ ;-)

Actions #4

Updated by Steffen Gebert almost 13 years ago

  • Status changed from New to Closed

Resolved as duplicate

Actions #5

Updated by Steffen Gebert almost 13 years ago

  • Status changed from Closed to Accepted

Damn it.. didn't want to close both of the reports :-/

Actions #6

Updated by Steffen Gebert almost 13 years ago

Applies to 4.6+4.7

Actions #7

Updated by Gerrit Code Review almost 13 years ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/8761

Actions #8

Updated by Gerrit Code Review almost 13 years ago

Patch set 1 for branch TYPO3_4-6 has been pushed to the review server.
It is available at http://review.typo3.org/8762

Actions #9

Updated by Steffen Gebert almost 13 years ago

  • Subject changed from XSS in HTML content element through t3editor to Persistent XSS in HTML content element through t3editor
Actions #10

Updated by Helmut Hummel almost 13 years ago

Hi,

I think that the HTML content element should NEVER be available for editors, because by definition being able to edit plain HTML leads to persitent XSS.

That said, I'm fine with fixing that publicly.

Actions #11

Updated by Steffen Gebert almost 13 years ago

Fine, will take care of it.

Actions #12

Updated by Helmut Hummel over 12 years ago

  • Project changed from 1716 to TYPO3 Core
  • Category deleted (OW-A07: Cross Site Scripting)
Actions #13

Updated by Steffen Gebert over 12 years ago

I guess you discussed that, would you share your opinion, why this is no security issue? Because HTML CE is treated bad generally?

As soon as an editor has access to the HTML CE, the persistent XSS is IMHO nothing desirable.

Actions #14

Updated by Steffen Gebert about 12 years ago

This is not a critical issue, as editors, which can use the HTML CE still have the possibility to put JS into Frontend code. Giving this possibility also for the Backend is no additional security issue.

So this is just a bug fix.

Actions #15

Updated by Georg Ringer over 11 years ago

  • Status changed from Under Review to Resolved
Actions #16

Updated by Benni Mack about 6 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF