Bug #58816
closed
Response Splitting Vulnerability
Added by Sven Carstens over 10 years ago.
Updated about 6 years ago.
Description
TYPO3 4.7.18 is vulnerable to Response Splitting (http://en.wikipedia.org/wiki/HTTP_response_splitting)
A recent security audit on our installed customer systems discovered a Response Splitting vulnerability that can be triggered via the redirect_url paramater used by the felogin extension.
The request:
curl -i http://localhost/ --data 'logintype=login&pass=g00dPa%24%24w0rD&pid=0&redirect_url=%0d%0aSomeCustomInjectedHeader:injected&submit=Anmelden&tx_felogin_pi1%5bnoredirect%5d=0&user=wwibephd'
The Response headers:
---------------------
HTTP/1.1 303 See Other
Date: Wed, 14 May 2014 14:06:25 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3.11
Location: http://localhost/
SomeCustomInjectedHeader:injected
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html
---------------------
This issue should be fixed in the redirect utility method inside of class.t3lib_utility_http.php inside of the function redirect Line 96.
- header('Location: ' . t3lib_div::locationHeaderUrl($url));
+ header('Location: ' . rawurlencode(t3lib_div::locationHeaderUrl($url)));
The fix should be ported to the other TYPO3 version that are currently supported.
- Project changed from TYPO3 Core to 1716
Just tested with TYPO3 4.5 and PHP 5.3
REQUEST: ******
POST http://typo3-4-5.local HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 10.36.10.5
Accept: */*
Content-Length:159
logintype=login&pass=g00dPa%24%24w0rD&pid=0&redirect_url=%0d%0aSomeCustomInjectedHeader:injected&submit=Anmelden&tx_felogin_pi1%5bnoredirect%5d=0&user=wwibephd
RESPONSE: ******
HTTP/1.1 200 OK
Date: Thu, 15 May 2014 12:40:21 GMT
Server: Apache/2.2.26 (Win32) PHP/5.3.7
X-Powered-By: PHP/5.3.7
Set-Cookie: fe_typo_user=498ff7037501c1f0b66e448eb41ee8e2; path=/
Last-Modified: Mon, 02 Aug 2010 11:10:03 GMT
Expires: Fri, 16 May 2014 00:40:21 GMT
ETag: "5b30c448d52edea405081000b6edc5e5"
Cache-Control: max-age=43200
Pragma: public
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Could not reproduce with PHP 5.3.28. Any string containing CR/LF and passed to PHP's header() method is just not outputted.
However, I'm wondering why FrontendLoginController::validateRedirectUrl() is not catching the invalid return URL...
- Project changed from 1716 to TYPO3 Core
- Status changed from New to Closed
This is not possible with PHP versions > 5.1.3 (see http://de2.php.net/manual/en/function.header.php)
Response by mail from Sven Carstens by mail:
this seems to be a false positive, as the required injection of %0d%0a%0d%0a to split the headers does in fact fail.
- Project changed from TYPO3 Core to 1716
- Project changed from 1716 to TYPO3 Core
- Status changed from Closed to Under Review
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
- Status changed from Resolved to Under Review
- Status changed from Under Review to Resolved
- Status changed from Resolved to Closed
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by