Project

General

Profile

Actions

Bug #62723

closed

Cache poisoning with prefixLocalAchors

Added by Helmut Hummel about 10 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
-
Target version:
-
Start date:
2014-11-05
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
4.5
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

assumptions:


config.absRefPrefix =
config.prefixLocalAnchors = all

page = PAGE
page.10 = TEXT
page.10.value = <a href="#skiplinks">Skiplinks</a>

Request the TYPO3 installation with:

http:/host.tld/http://malicious.host.tld/

The resulting link will be:

<a href="http://malicious.host.tld/#skiplinks">Skiplinks</a>

Related issues 5 (0 open5 closed)

Related to TYPO3 Core - Bug #58528: config.prefixLocalAnchors causes GET parameters to be prepended to local anchorsRejected2014-05-05

Actions
Related to TYPO3 Core - Bug #64252: prefixLocalAnchors broken by call to member function on a non-objectClosed2015-01-12

Actions
Related to TYPO3 Core - Bug #63896: class.tslib_fe: Call to a member function getUrlToCurrentLocation() after Update to TYPO3 4.5.39Closed2014-12-15

Actions
Related to TYPO3 Core - Bug #65671: automatically added leading '/' to href-Attribute even if I just want '#'Closed2015-03-11

Actions
Related to TYPO3 Core - Bug #78043: Can't create local anchors using RTEClosed2016-09-22

Actions
Actions #1

Updated by Helmut Hummel about 10 years ago

Investigations I've done so far:

  • Only the root page is affected, as invalid URIs will not deliver other pages than the root page of a domain
  • the issue is bad enough with just invalid uris (without http://) as they will be cached
  • no mitigation with enabled pageNotFoundHandling as TYPO3 without id set will deliver the root page
  • no mitigation with realurl enabled as for some reason uris like the above did not trigger a 404 in my setup (mostly realurl autoconf)
  • This issue is mitigated with config.absRefPrefix = / in so far as links will not leave the domain any more. The wrong links will still be cached.
  • This issue is mitigated in TYPO3 > 4.6 if the root page is a shortcut, because there will be a redirect to the shortcut target and the redirect link is generated with typolink
Actions #2

Updated by Helmut Hummel about 10 years ago

Helmut Hummel wrote:

  • This issue is mitigated with config.absRefPrefix = / in so far as links will not leave the domain any more. The wrong links will still be cached.

In fact, the links are not that wrong. They also lead to the homepage, but look weird

Actions #3

Updated by Gerrit Code Review about 10 years ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

Actions #4

Updated by Gerrit Code Review about 10 years ago

Patch set 2 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

Actions #5

Updated by Gerrit Code Review about 10 years ago

Patch set 3 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

Actions #6

Updated by Gerrit Code Review about 10 years ago

Patch set 4 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

Actions #7

Updated by Gerrit Code Review about 10 years ago

Patch set 5 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

Actions #8

Updated by Gerrit Code Review about 10 years ago

Patch set 6 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

Actions #9

Updated by Gerrit Code Review almost 10 years ago

Patch set 8 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

Actions #10

Updated by Gerrit Code Review almost 10 years ago

Patch set 9 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

Actions #11

Updated by Gerrit Code Review almost 10 years ago

Patch set 10 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

Actions #12

Updated by Gerrit Code Review almost 10 years ago

Patch set 11 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

Actions #13

Updated by Gerrit Code Review almost 10 years ago

Patch set 12 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

Actions #14

Updated by Gerrit Code Review almost 10 years ago

Patch set 13 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

Actions #15

Updated by Gerrit Code Review almost 10 years ago

Patch set 14 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

Actions #16

Updated by Markus Klein almost 10 years ago

ok tested this now with set 13:
  • domain: kleindev
  • instance running in subfolder: 62
  • realurl with autosetup
  • config.absRefPrefix =
  • config.prefixLocalAnchors = all
Test process:

Seems the output is somehow cached, although BE user is logged in

Actions #17

Updated by Gerrit Code Review almost 10 years ago

Patch set 15 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

Actions #18

Updated by Gerrit Code Review almost 10 years ago

Patch set 16 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

Actions #19

Updated by Gerrit Code Review almost 10 years ago

Patch set 1 for branch TYPO3_6-2 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/35214

Actions #20

Updated by Gerrit Code Review almost 10 years ago

Patch set 1 for branch TYPO3_4-5 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/35215

Actions #21

Updated by Gerrit Code Review almost 10 years ago

Patch set 17 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

Actions #22

Updated by Gerrit Code Review almost 10 years ago

Patch set 2 for branch TYPO3_6-2 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/35214

Actions #23

Updated by Gerrit Code Review almost 10 years ago

Patch set 1 for branch TYPO3_4-5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/35222

Actions #24

Updated by Gerrit Code Review almost 10 years ago

Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/35223

Actions #25

Updated by Gerrit Code Review almost 10 years ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/35224

Actions #26

Updated by Helmut Hummel almost 10 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #27

Updated by Gerrit Code Review almost 10 years ago

  • Status changed from Resolved to Under Review

Patch set 1 for branch TYPO3_7-0 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/35233

Actions #28

Updated by Helmut Hummel almost 10 years ago

  • Project changed from 1716 to TYPO3 Core
  • Is Regression set to No

Making this public (despite publishing exploit code at the same time) to help users to better understand this issue and act accordingly.

Actions #29

Updated by Helmut Hummel almost 10 years ago

  • Status changed from Under Review to Resolved
Actions #30

Updated by Benni Mack about 6 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF