Bug #72475

XSS in belog module

Added by Oliver Hader over 3 years ago. Updated 12 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2015-12-30
Due date:
% Done:

100%

TYPO3 Version:
6.2
PHP Version:
5.5
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

The belog module, accessible for admin users, is vulnerable for XSS.

Requirements

a) create a backend user having the name

te<b>st</b>

b) create a workspace record having the title
work<b>space</b>

PoC

  • switch to the created user
  • switch to the create workspace
  • modify or create any content
  • open the log at System>Log and see the unescaped contents of the user and workspace

72475.png View (19.3 KB) Oliver Hader, 2015-12-30 13:23

Associated revisions

Revision 056323e9 (diff)
Added by Oliver Hader over 3 years ago

[SECURITY] XSS in belog module

The username of a backend user and title of a workspace record
miss accordant escaping if being rendered in the belog module.

Since this has only impact on admin users in the backend, the
fix is handled in public instead of a security release.

Resolves: #72475
Releases: master, 7.6, 6.2
Change-Id: Ib165f8ef849a641984fc5fb834b30983f7b63a54
Reviewed-on: https://review.typo3.org/45519
Reviewed-by: Markus Klein <>
Tested-by: Markus Klein <>
Reviewed-by: Morton Jonuschat <>
Tested-by: Morton Jonuschat <>

Revision 3eb2e46d (diff)
Added by Oliver Hader over 3 years ago

[SECURITY] XSS in belog module

The username of a backend user and title of a workspace record
miss accordant escaping if being rendered in the belog module.

Since this has only impact on admin users in the backend, the
fix is handled in public instead of a security release.

Resolves: #72475
Releases: master, 7.6, 6.2
Change-Id: Ib165f8ef849a641984fc5fb834b30983f7b63a54
Reviewed-on: https://review.typo3.org/45519
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
(cherry picked from commit 056323e9141c9028d07c1e12543584e03b5f0c9e)
Reviewed-on: https://review.typo3.org/45522

Revision 967391fa (diff)
Added by Morton Jonuschat over 3 years ago

[SECURITY] XSS in belog module

The username of a backend user and title of a workspace record
miss accordant escaping if being rendered in the belog module.

Since this has only impact on admin users in the backend, the
fix is handled in public instead of a security release.

Resolves: #72475
Releases: master, 7.6, 6.2
Change-Id: Ib165f8ef849a641984fc5fb834b30983f7b63a54
(cherry picked from commit 056323e9141c9028d07c1e12543584e03b5f0c9e)
Reviewed-on: https://review.typo3.org/45523
Reviewed-by: Oliver Hader <>
Reviewed-by: Morton Jonuschat <>
Tested-by: Morton Jonuschat <>

History

#1 Updated by Oliver Hader over 3 years ago

#2 Updated by Gerrit Code Review over 3 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/45502

#3 Updated by Helmut Hummel over 3 years ago

  • Project changed from Core Security to TYPO3 Core
  • Category deleted (OW-A07: Cross Site Scripting)
  • Is Regression set to No

Users and Workspaces can only be created by admins, so it is fine to fix this in public

#4 Updated by Gerrit Code Review over 3 years ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/45519

#5 Updated by Gerrit Code Review over 3 years ago

Patch set 1 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/45522

#6 Updated by Oliver Hader over 3 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#7 Updated by Gerrit Code Review over 3 years ago

  • Status changed from Resolved to Under Review

Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/45523

#8 Updated by Oliver Hader over 3 years ago

  • Status changed from Under Review to Resolved

#9 Updated by Benni Mack 12 months ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF