Project

General

Profile

Actions
Copy link

Bug #61277

closed

Major security issue - f:form viewhelper serializes the whole objects when used with $this->forward

Added by Dimitri Lavrenük about 10 years ago. Updated about 10 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
-
Target version:
-
Start date:
2014-08-29
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
6.2
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

This issue has been reported in a different context here:
https://forge.typo3.org/issues/57633

After digging a bit i found a huge security issue with this bug. You can get access to all properties of the object and all linked objects.
Typo3 Version: 6.2.3

how to reproduce:

We need any Model
Actions:
Edit action
Save action

Edit ection -> Save action -> forward to Edit action with the model object as argument

After the save action the form generates a [__referrer][arguments] hidden field with the whole object hashed as base64.

typo3 6.2/sysext/fluid/Classes/ViewHelpers/FormViewHelper.php line 229

The hash is not only huge (2mb in my case) but also contains ALL the data forwarded. The hash can be unserialized via base64decode and you can see all model properties of the object and ALL linked objects. If used with an object linked to a fe_user record you can access ALL the data from the user record (inluding hashed password and other security related data).

public function editAction (/Dl/Test/Domain/Model/Object $object = null) {
    $this->view->assign('object', $object);
}

public function saveAction (/Dl/Test/Domain/Model/Object $object) {
    $this->forward('edit', null, null, array('object' => $object));
}

Related issues 1 (0 open1 closed)

Is duplicate of TYPO3 Core - Bug #57633: FormViewHelper adds complete serialized objects to [__referrer][arguments] when forward is usedRejected2014-04-04

Actions
Actions
Copy link
 #1

Updated by Dimitri Lavrenük about 10 years ago

As a quick fix for the developers:

you can reset the request of the controllerContext in the edit action to prevent serialization of the objects

        $this->controllerContext->getRequest()->setArguments(array());
Actions
Copy link
 #2

Updated by Anja Leichsenring about 10 years ago

  • Project changed from 534 to 1716
  • Category deleted (Extbase: Security)
  • TYPO3 Version set to 6.2
Actions
Copy link
 #3

Updated by Helmut Hummel about 10 years ago

  • Project changed from 1716 to TYPO3 Core
  • Is Regression set to No

Moving back to the public tracker

Actions
Copy link
 #4

Updated by Helmut Hummel about 10 years ago

Dimitri Lavrenük wrote:

This issue has been reported in a different context here:
https://forge.typo3.org/issues/57633

we should continue with the discussion there.

After digging a bit i found a huge security issue with this bug. You can get access to all properties of the object and all linked objects.
Typo3 Version: 6.2.3

I agree that this is not nice and should be changed. However this is only a security issue in very specific cases (which are not part of the core), so we can handle that bug in public.

Edit ection -> Save action -> forward to Edit action with the model object as argument

After the save action the form generates a [__referrer][arguments] hidden field with the whole object hashed as base64.

public function editAction (/Dl/Test/Domain/Model/Object $object = null) {
    $this->view->assign('object', $object);
}

public function saveAction (/Dl/Test/Domain/Model/Object $object) {
    $this->forward('edit', null, null, array('object' => $object));
}

Why are you using a forward here anyway? To me it makes more sense to use a redirect for this example.

Actions
Copy link
 #5

Updated by Helmut Hummel about 10 years ago

  • Status changed from New to Closed

I will close this as duplicate. any further discussion should go to #57633

Actions
Copy link

Also available in: Atom PDF