Bug #62723
closedCache poisoning with prefixLocalAchors
100%
Description
assumptions:
config.absRefPrefix = config.prefixLocalAnchors = all page = PAGE page.10 = TEXT page.10.value = <a href="#skiplinks">Skiplinks</a>
Request the TYPO3 installation with:
http:/host.tld/http://malicious.host.tld/
The resulting link will be:
<a href="http://malicious.host.tld/#skiplinks">Skiplinks</a>
Updated by Helmut Hummel about 10 years ago
Investigations I've done so far:
- Only the root page is affected, as invalid URIs will not deliver other pages than the root page of a domain
- the issue is bad enough with just invalid uris (without http://) as they will be cached
- no mitigation with enabled pageNotFoundHandling as TYPO3 without id set will deliver the root page
- no mitigation with realurl enabled as for some reason uris like the above did not trigger a 404 in my setup (mostly realurl autoconf)
- This issue is mitigated with config.absRefPrefix = / in so far as links will not leave the domain any more. The wrong links will still be cached.
- This issue is mitigated in TYPO3 > 4.6 if the root page is a shortcut, because there will be a redirect to the shortcut target and the redirect link is generated with typolink
Updated by Helmut Hummel about 10 years ago
Helmut Hummel wrote:
- This issue is mitigated with config.absRefPrefix = / in so far as links will not leave the domain any more. The wrong links will still be cached.
In fact, the links are not that wrong. They also lead to the homepage, but look weird
Updated by Gerrit Code Review about 10 years ago
- Status changed from Accepted to Under Review
Patch set 1 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872
Updated by Gerrit Code Review about 10 years ago
Patch set 2 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872
Updated by Gerrit Code Review about 10 years ago
Patch set 3 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872
Updated by Gerrit Code Review about 10 years ago
Patch set 4 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872
Updated by Gerrit Code Review about 10 years ago
Patch set 5 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872
Updated by Gerrit Code Review about 10 years ago
Patch set 6 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872
Updated by Gerrit Code Review almost 10 years ago
Patch set 8 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872
Updated by Gerrit Code Review almost 10 years ago
Patch set 9 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872
Updated by Gerrit Code Review almost 10 years ago
Patch set 10 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872
Updated by Gerrit Code Review almost 10 years ago
Patch set 11 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872
Updated by Gerrit Code Review almost 10 years ago
Patch set 12 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872
Updated by Gerrit Code Review almost 10 years ago
Patch set 13 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872
Updated by Gerrit Code Review almost 10 years ago
Patch set 14 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872
Updated by Markus Klein almost 10 years ago
- domain: kleindev
- instance running in subfolder: 62
- realurl with autosetup
- config.absRefPrefix =
- config.prefixLocalAnchors = all
- login to BE, clear caches
- accessing http://kleindev/62/index.php?id=1 in FE
- skip link generated is: http://kleindev/62/index.php?id=1#main
- logging out in BE
- accessing http://kleindev/62/ in FE
- skip link still is the same
- logging in again in BE
- clear caches
- logging out in BE
- access http://kleindev/62/ in FE
- skip link now is http://kleindev/62/#main
Seems the output is somehow cached, although BE user is logged in
Updated by Gerrit Code Review almost 10 years ago
Patch set 15 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872
Updated by Gerrit Code Review almost 10 years ago
Patch set 16 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872
Updated by Gerrit Code Review almost 10 years ago
Patch set 1 for branch TYPO3_6-2 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/35214
Updated by Gerrit Code Review almost 10 years ago
Patch set 1 for branch TYPO3_4-5 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/35215
Updated by Gerrit Code Review almost 10 years ago
Patch set 17 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/33872
Updated by Gerrit Code Review almost 10 years ago
Patch set 2 for branch TYPO3_6-2 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/35214
Updated by Gerrit Code Review almost 10 years ago
Patch set 1 for branch TYPO3_4-5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/35222
Updated by Gerrit Code Review almost 10 years ago
Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/35223
Updated by Gerrit Code Review almost 10 years ago
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/35224
Updated by Helmut Hummel almost 10 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset typo3cms-core:63ae7ddd11d284a121f23ce86282e3149bc16f96.
Updated by Gerrit Code Review almost 10 years ago
- Status changed from Resolved to Under Review
Patch set 1 for branch TYPO3_7-0 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/35233
Updated by Helmut Hummel almost 10 years ago
- Project changed from 1716 to TYPO3 Core
- Is Regression set to No
Making this public (despite publishing exploit code at the same time) to help users to better understand this issue and act accordingly.
Updated by Helmut Hummel almost 10 years ago
- Status changed from Under Review to Resolved