Bug #61277
closed
Major security issue - f:form viewhelper serializes the whole objects when used with $this->forward
0%
Description
This issue has been reported in a different context here:
https://forge.typo3.org/issues/57633
After digging a bit i found a huge security issue with this bug. You can get access to all properties of the object and all linked objects.
Typo3 Version: 6.2.3
how to reproduce:
We need any Model
Actions:
Edit action
Save action
Edit ection -> Save action -> forward to Edit action with the model object as argument
After the save action the form generates a [__referrer][arguments] hidden field with the whole object hashed as base64.
typo3 6.2/sysext/fluid/Classes/ViewHelpers/FormViewHelper.php line 229
The hash is not only huge (2mb in my case) but also contains ALL the data forwarded. The hash can be unserialized via base64decode and you can see all model properties of the object and ALL linked objects. If used with an object linked to a fe_user record you can access ALL the data from the user record (inluding hashed password and other security related data).
public function editAction (/Dl/Test/Domain/Model/Object $object = null) {
$this->view->assign('object', $object);
}
public function saveAction (/Dl/Test/Domain/Model/Object $object) {
$this->forward('edit', null, null, array('object' => $object));
}
Updated by 
Updated by 
Updated by