Project

General

Profile

Actions

Bug #84591

closed

XSS in ToolbarItems icon rendering

Added by Oliver Hader almost 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2018-04-04
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Today i build for a customer a CacheManipulateClass to flush a few news caches. (Please do not judge these flush cache way. I know about clearCacheCmd)

Context: Regular be login and a sitepackage extension which register this class.

Proof of Concept: My class add this identifier

/**
 * @param array $cacheActions
 * @param array $optionValues
 *
 * @return void
 */
public function manipulateCacheActions(&$cacheActions, &$optionValues)
{
    $iconFactory = GeneralUtility::makeInstance(IconFactory::class);
    $cacheActions[] = [
        'id'          => 'news_clear_cache',
        'title'       => 'Flush news caches',
        'description' => 'Clear fluid cache for frontend pages with news',
        'href'        => (new UriBuilder())->buildUriFromRoute('news_clear_cache'),
        'icon'        => '<script>alert(document.cookie);</script>'
    ];
}

In TYPO3 7.6.x the Cache manipulator hast he option „icon“ which will be handled at TYPO3/v7/typo3/sysext/backend/Classes/Backend/ToolbarItems/ClearCacheToolbarItem.php
In the function getDropdown (line 160) the function called $cacheAction[‚icon‘] without htmlspecialchars().


Files

ext_localconf.txt (695 Bytes) ext_localconf.txt Oliver Hader, 2018-04-04 08:26
NewsClearCacheAction.txt (1.43 KB) NewsClearCacheAction.txt Oliver Hader, 2018-04-04 08:26
Routes.txt (209 Bytes) Routes.txt Oliver Hader, 2018-04-04 08:26
v7_htmlspecialchars_logo.diff (3.06 KB) v7_htmlspecialchars_logo.diff Oliver Hader, 2018-04-04 08:26
Actions #1

Updated by Oliver Hader almost 6 years ago

  • Description updated (diff)
Actions #2

Updated by Oliver Hader almost 6 years ago

  • Description updated (diff)
  • Reporter set to Guido Schmechel
  • OTRS-Sec Ticket-ID set to 201802235760000013
Actions #4

Updated by Helmut Hummel almost 6 years ago

  • Project changed from 1716 to TYPO3 Core
  • Category deleted (OW-A07: Cross Site Scripting)

can be handled publicly as the attack vector requires to be able to add PHP code

Actions #5

Updated by Andreas Kienast almost 6 years ago

Issue is reproducible in v7 only.

Fixing is not that easy, as the icon attribute must be a HTML string, which is generated by IconFactory, which also allows this kind of XSS.
One possible fix is that we backport the behavior of v9 and v8, which means we have an attribute called iconIdentifier instead and the icon get rendered at the required location. Downside is that this solution is breaking.

Any opinions?

Actions #6

Updated by Jigal van Hemert almost 6 years ago

In 7LTS RemoveXSS is still available. It could be used to disable most potentially unwanted stuff (it won't give 100% protection).

Actions #7

Updated by Riccardo De Contardi over 5 years ago

  • Status changed from New to Closed

I close this issue (in agreement with the reporter) as it affects only v.7; if this is the wrong decision or there is still work that should be done, please reopen it or ping me

Thank you.

Actions

Also available in: Atom PDF