Project

General

Profile

Actions
Copy link

Bug #84591

closed

XSS in ToolbarItems icon rendering

Added by Oliver Hader over 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2018-04-04
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Today i build for a customer a CacheManipulateClass to flush a few news caches. (Please do not judge these flush cache way. I know about clearCacheCmd)

Context: Regular be login and a sitepackage extension which register this class.

Proof of Concept: My class add this identifier

/**
 * @param array $cacheActions
 * @param array $optionValues
 *
 * @return void
 */
public function manipulateCacheActions(&$cacheActions, &$optionValues)
{
    $iconFactory = GeneralUtility::makeInstance(IconFactory::class);
    $cacheActions[] = [
        'id'          => 'news_clear_cache',
        'title'       => 'Flush news caches',
        'description' => 'Clear fluid cache for frontend pages with news',
        'href'        => (new UriBuilder())->buildUriFromRoute('news_clear_cache'),
        'icon'        => '<script>alert(document.cookie);</script>'
    ];
}

In TYPO3 7.6.x the Cache manipulator hast he option „icon“ which will be handled at TYPO3/v7/typo3/sysext/backend/Classes/Backend/ToolbarItems/ClearCacheToolbarItem.php
In the function getDropdown (line 160) the function called $cacheAction[‚icon‘] without htmlspecialchars().

Files

Download all files
ext_localconf.txt (695 Bytes) ext_localconf.txt Oliver Hader, 2018-04-04 08:26
NewsClearCacheAction.txt (1.43 KB) NewsClearCacheAction.txt Oliver Hader, 2018-04-04 08:26
Routes.txt (209 Bytes) Routes.txt Oliver Hader, 2018-04-04 08:26
v7_htmlspecialchars_logo.diff (3.06 KB) v7_htmlspecialchars_logo.diff Oliver Hader, 2018-04-04 08:26
Actions
Copy link

Also available in: Atom PDF