Project

General

Profile

Actions
Copy link

Bug #84591

closed

XSS in ToolbarItems icon rendering

Added by Oliver Hader over 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2018-04-04
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Today i build for a customer a CacheManipulateClass to flush a few news caches. (Please do not judge these flush cache way. I know about clearCacheCmd)

Context: Regular be login and a sitepackage extension which register this class.

Proof of Concept: My class add this identifier

/**
 * @param array $cacheActions
 * @param array $optionValues
 *
 * @return void
 */
public function manipulateCacheActions(&$cacheActions, &$optionValues)
{
    $iconFactory = GeneralUtility::makeInstance(IconFactory::class);
    $cacheActions[] = [
        'id'          => 'news_clear_cache',
        'title'       => 'Flush news caches',
        'description' => 'Clear fluid cache for frontend pages with news',
        'href'        => (new UriBuilder())->buildUriFromRoute('news_clear_cache'),
        'icon'        => '<script>alert(document.cookie);</script>'
    ];
}

In TYPO3 7.6.x the Cache manipulator hast he option „icon“ which will be handled at TYPO3/v7/typo3/sysext/backend/Classes/Backend/ToolbarItems/ClearCacheToolbarItem.php
In the function getDropdown (line 160) the function called $cacheAction[‚icon‘] without htmlspecialchars().

Files

Download all files
ext_localconf.txt (695 Bytes) ext_localconf.txt Oliver Hader, 2018-04-04 08:26
NewsClearCacheAction.txt (1.43 KB) NewsClearCacheAction.txt Oliver Hader, 2018-04-04 08:26
Routes.txt (209 Bytes) Routes.txt Oliver Hader, 2018-04-04 08:26
v7_htmlspecialchars_logo.diff (3.06 KB) v7_htmlspecialchars_logo.diff Oliver Hader, 2018-04-04 08:26
Actions
Copy link
 #1

Updated by Oliver Hader over 6 years ago

  • Description updated (diff)
Actions
Copy link
 #2

Updated by Oliver Hader over 6 years ago

  • Description updated (diff)
  • Reporter set to Guido Schmechel
  • OTRS-Sec Ticket-ID set to 201802235760000013
Actions
Copy link
 #4

Updated by Helmut Hummel over 6 years ago

  • Project changed from 1716 to TYPO3 Core
  • Category deleted (OW-A07: Cross Site Scripting)

can be handled publicly as the attack vector requires to be able to add PHP code

Actions
Copy link
 #5

Updated by Andreas Kienast over 6 years ago

Issue is reproducible in v7 only.

Fixing is not that easy, as the icon attribute must be a HTML string, which is generated by IconFactory, which also allows this kind of XSS.
One possible fix is that we backport the behavior of v9 and v8, which means we have an attribute called iconIdentifier instead and the icon get rendered at the required location. Downside is that this solution is breaking.

Any opinions?

Actions
Copy link
 #6

Updated by Jigal van Hemert over 6 years ago

In 7LTS RemoveXSS is still available. It could be used to disable most potentially unwanted stuff (it won't give 100% protection).

Actions
Copy link
 #7

Updated by Riccardo De Contardi about 6 years ago

  • Status changed from New to Closed

I close this issue (in agreement with the reporter) as it affects only v.7; if this is the wrong decision or there is still work that should be done, please reopen it or ping me

Thank you.

Actions
Copy link

Also available in: Atom PDF