Bug #62723

Cache poisoning with prefixLocalAchors

Added by Helmut Hummel almost 7 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
-
Target version:
-
Start date:
2014-11-05
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
4.5
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

assumptions:


config.absRefPrefix =
config.prefixLocalAnchors = all

page = PAGE
page.10 = TEXT
page.10.value = <a href="#skiplinks">Skiplinks</a>

Request the TYPO3 installation with:

http:/host.tld/http://malicious.host.tld/

The resulting link will be:

<a href="http://malicious.host.tld/#skiplinks">Skiplinks</a>

Related issues

Related to TYPO3 Core - Bug #58528: config.prefixLocalAnchors causes GET parameters to be prepended to local anchorsRejected2014-05-05

Actions
Related to TYPO3 Core - Bug #64252: prefixLocalAnchors broken by call to member function on a non-objectClosed2015-01-12

Actions
Related to TYPO3 Core - Bug #63896: class.tslib_fe: Call to a member function getUrlToCurrentLocation() after Update to TYPO3 4.5.39Closed2014-12-15

Actions
Related to TYPO3 Core - Bug #65671: automatically added leading '/' to href-Attribute even if I just want '#'Closed2015-03-11

Actions
Related to TYPO3 Core - Bug #78043: Can't create local anchors using RTEClosed2016-09-22

Actions
#1

Updated by Helmut Hummel almost 7 years ago

Investigations I've done so far:

  • Only the root page is affected, as invalid URIs will not deliver other pages than the root page of a domain
  • the issue is bad enough with just invalid uris (without http://) as they will be cached
  • no mitigation with enabled pageNotFoundHandling as TYPO3 without id set will deliver the root page
  • no mitigation with realurl enabled as for some reason uris like the above did not trigger a 404 in my setup (mostly realurl autoconf)
  • This issue is mitigated with config.absRefPrefix = / in so far as links will not leave the domain any more. The wrong links will still be cached.
  • This issue is mitigated in TYPO3 > 4.6 if the root page is a shortcut, because there will be a redirect to the shortcut target and the redirect link is generated with typolink
#2

Updated by Helmut Hummel almost 7 years ago

Helmut Hummel wrote:

  • This issue is mitigated with config.absRefPrefix = / in so far as links will not leave the domain any more. The wrong links will still be cached.

In fact, the links are not that wrong. They also lead to the homepage, but look weird

#3

Updated by Gerrit Code Review almost 7 years ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

#4

Updated by Gerrit Code Review almost 7 years ago

Patch set 2 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

#5

Updated by Gerrit Code Review almost 7 years ago

Patch set 3 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

#6

Updated by Gerrit Code Review almost 7 years ago

Patch set 4 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

#7

Updated by Gerrit Code Review almost 7 years ago

Patch set 5 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

#8

Updated by Gerrit Code Review almost 7 years ago

Patch set 6 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

#9

Updated by Gerrit Code Review almost 7 years ago

Patch set 8 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

#10

Updated by Gerrit Code Review almost 7 years ago

Patch set 9 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

#11

Updated by Gerrit Code Review almost 7 years ago

Patch set 10 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

#12

Updated by Gerrit Code Review almost 7 years ago

Patch set 11 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

#13

Updated by Gerrit Code Review almost 7 years ago

Patch set 12 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

#14

Updated by Gerrit Code Review almost 7 years ago

Patch set 13 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

#15

Updated by Gerrit Code Review almost 7 years ago

Patch set 14 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

#16

Updated by Markus Klein almost 7 years ago

ok tested this now with set 13:
  • domain: kleindev
  • instance running in subfolder: 62
  • realurl with autosetup
  • config.absRefPrefix =
  • config.prefixLocalAnchors = all
Test process:

Seems the output is somehow cached, although BE user is logged in

#17

Updated by Gerrit Code Review almost 7 years ago

Patch set 15 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

#18

Updated by Gerrit Code Review almost 7 years ago

Patch set 16 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

#19

Updated by Gerrit Code Review almost 7 years ago

Patch set 1 for branch TYPO3_6-2 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/35214

#20

Updated by Gerrit Code Review almost 7 years ago

Patch set 1 for branch TYPO3_4-5 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/35215

#21

Updated by Gerrit Code Review almost 7 years ago

Patch set 17 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872

#22

Updated by Gerrit Code Review almost 7 years ago

Patch set 2 for branch TYPO3_6-2 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/35214

#23

Updated by Gerrit Code Review almost 7 years ago

Patch set 1 for branch TYPO3_4-5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/35222

#24

Updated by Gerrit Code Review almost 7 years ago

Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/35223

#25

Updated by Gerrit Code Review almost 7 years ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/35224

#26

Updated by Helmut Hummel almost 7 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#27

Updated by Gerrit Code Review almost 7 years ago

  • Status changed from Resolved to Under Review

Patch set 1 for branch TYPO3_7-0 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/35233

#28

Updated by Helmut Hummel almost 7 years ago

  • Project changed from 1716 to TYPO3 Core
  • Is Regression set to No

Making this public (despite publishing exploit code at the same time) to help users to better understand this issue and act accordingly.

#29

Updated by Helmut Hummel almost 7 years ago

  • Status changed from Under Review to Resolved
#30

Updated by Benni Mack almost 3 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF