Bug #84591

XSS in ToolbarItems icon rendering

Added by Oliver Hader over 1 year ago. Updated 10 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2018-04-04
Due date:
% Done:

0%

TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Today i build for a customer a CacheManipulateClass to flush a few news caches. (Please do not judge these flush cache way. I know about clearCacheCmd)

Context: Regular be login and a sitepackage extension which register this class.

Proof of Concept: My class add this identifier

/**
 * @param array $cacheActions
 * @param array $optionValues
 *
 * @return void
 */
public function manipulateCacheActions(&$cacheActions, &$optionValues)
{
    $iconFactory = GeneralUtility::makeInstance(IconFactory::class);
    $cacheActions[] = [
        'id'          => 'news_clear_cache',
        'title'       => 'Flush news caches',
        'description' => 'Clear fluid cache for frontend pages with news',
        'href'        => (new UriBuilder())->buildUriFromRoute('news_clear_cache'),
        'icon'        => '<script>alert(document.cookie);</script>'
    ];
}

In TYPO3 7.6.x the Cache manipulator hast he option „icon“ which will be handled at TYPO3/v7/typo3/sysext/backend/Classes/Backend/ToolbarItems/ClearCacheToolbarItem.php
In the function getDropdown (line 160) the function called $cacheAction[‚icon‘] without htmlspecialchars().

ext_localconf.txt View (695 Bytes) Oliver Hader, 2018-04-04 08:26

NewsClearCacheAction.txt View (1.43 KB) Oliver Hader, 2018-04-04 08:26

Routes.txt View (209 Bytes) Oliver Hader, 2018-04-04 08:26

v7_htmlspecialchars_logo.diff View (3.06 KB) Oliver Hader, 2018-04-04 08:26

History

#1 Updated by Oliver Hader over 1 year ago

  • Description updated (diff)

#2 Updated by Oliver Hader over 1 year ago

  • Description updated (diff)
  • Reporter set to Guido Schmechel
  • OTRS-Sec Ticket-ID set to 201802235760000013

#3 Updated by Oliver Hader over 1 year ago

adding additional resources provided by reporter

#4 Updated by Helmut Hummel over 1 year ago

  • Project changed from Core Security to TYPO3 Core
  • Category deleted (OW-A07: Cross Site Scripting)

can be handled publicly as the attack vector requires to be able to add PHP code

#5 Updated by Andreas Fernandez over 1 year ago

Issue is reproducible in v7 only.

Fixing is not that easy, as the icon attribute must be a HTML string, which is generated by IconFactory, which also allows this kind of XSS.
One possible fix is that we backport the behavior of v9 and v8, which means we have an attribute called iconIdentifier instead and the icon get rendered at the required location. Downside is that this solution is breaking.

Any opinions?

#6 Updated by Jigal van Hemert over 1 year ago

In 7LTS RemoveXSS is still available. It could be used to disable most potentially unwanted stuff (it won't give 100% protection).

#7 Updated by Riccardo De Contardi 10 months ago

  • Status changed from New to Closed

I close this issue (in agreement with the reporter) as it affects only v.7; if this is the wrong decision or there is still work that should be done, please reopen it or ping me

Thank you.

Also available in: Atom PDF