Bug #97930
open
Harden distribution overview in extension manager
Added by Frank Nägler almost 2 years ago.
Updated over 1 year ago.
Description
The distribution overview page is vulnerable for XSS.
If a distribution description contains XSS within the first 150 characters, the overview execute the code.
File: EXT:extensionmanager/Resources/Private/Partials/List/Distribution.html
Affected code: {distribution.description -> f:format.crop(maxCharacters: 150) -> f:format.raw()}
Reproduce: inject the code <script>alert('XSS');</script>
to the description of an extension / distribution and open the overview.
Files
- Reporter set to Frank Nägler
- Affected Version set to 9.0, 10, 11
- Related to Task #82000: Use new card layout for distributions list view added
- TYPO3 Version changed from 12 to 9
I tested it by changing the data directly in the database. I guess, that there is no filter in the upload process.
extenions.xml.gz
contents are imported as is into the database → XSS confirmed for that part of the vector.
The missing piece is still how the TER handles/sanitizes uploaded data.
- Priority changed from Should have to Must have
- Target version set to Release February 2024
Did not manage to exploit this via upload:
<version version="9.9.0">
<title>The Official TYPO3 Cross-Site Scripting Package</title>
<description>This package provides XSS by using scriptalert(12345)/script</description>
<state>stable</state>
<reviewstate>0</reviewstate>
<category>distribution</category>
...
<version version="9.9.1">
<title>The Official TYPO3 Cross-Site Scripting Package</title>
<description>&lt;script&gt;alert(2)&lt;/script&gt; ![CDATA[scriptalert(12345)/script &lt;script&gt;alert(3)&lt;/script&gt;]]</description>
<state>stable</state>
<reviewstate>0</reviewstate>
<category>distribution</category>
- Status changed from Accepted to Needs Feedback
- Priority changed from Must have to Should have
After analyzing the behavior of the actual TER, I don't see a real attack vector anymore. I'd opt for fixing this in public, what do you think?
I am OK with fixing it in public.
The sanitizer looks a bit weird, I think there are better ways to handle XML or data in XML, but your test proves that no vector exists, so let's fix it public.
Since the issue can not be exploited using the TER extension upload, a fix in public is also OK for me.
- Target version changed from Release February 2024 to public
- Project changed from 1716 to TYPO3 Core
- Subject changed from XSS in distribution overview to Harden distribution overview in extension manager
- Category changed from OW-A07: Cross Site Scripting to Security
- Target version deleted (
public)
- Reporter deleted (
Frank Nägler)
- Affected Version deleted (
9.0, 10, 11)
→ moved from security tracker to public core tracker
Also available in: Atom
PDF