Bug #98382
closed
Properly encode error messages in FileController
100%
Description
Disclaimer¶
This was originally reported as a vulnerability, after analyzing the scenario, the TYPO3 Security Team came to the conclusion to handle it in public. It cannot be exploited directly without knowing the backend form protection token of a particular user session.
Original Report¶
This has been reported as "self XSS". We simplified the mentioned PoC to a HTTP GET request, however it does not seem to be vulnerable via cross-site requests.
v11: https://example.com/typo3/ajax/file/process?token=<token>&data[newfile][0][target]=1:/&data[newfile][0][data]=<script>alert(1)</script>N0T3X15T1N6.php v10: https://example.com/typo3/index.php?route=%2Fajax%2Ffile%2Fprocess&token=<token>&data[newfile][0][target]=1:/&data[newfile][0][data]=%3Cscript%3Ealert(1)%3C/script%3EN0T3X15T1N6.php
With the following response:
HTTP/1.1 500 (AJAX) Date: Tue, 20 Sep 2022 10:49:35 GMT Server: Apache/2.4.54 (Unix) OpenSSL/3.0.5 mod_fcgid/2.3.9 X-Powered-By: PHP/8.1.9 X-Frame-Options: SAMEORIGIN Expires: 0 Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Tue, 20 Sep 2022 10:49:35 GMT Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 <t3err>Extension of file "<script>alert(1)</script>N0T3X15T1N6.php" was not allowed!</t3err>%
In TYPO3 v12 the response has been streamline to be application/json. For earlier versions it would be considered as "hardening" by encoding the HTML output. This probably can be handled in public.
diff --git a/typo3/sysext/backend/Classes/Controller/File/FileController.php b/typo3/sysext/backend/Classes/Controller/File/FileController.php
index be3db3ee5e..5242e8feeb 100644
--- a/typo3/sysext/backend/Classes/Controller/File/FileController.php
+++ b/typo3/sysext/backend/Classes/Controller/File/FileController.php
@@ -142,6 +142,7 @@ class FileController
$includeMessages = (bool)($request->getQueryParams()['includeMessages'] ?? false);
$errors = $this->fileProcessor->getErrorMessages();
if (!$includeMessages && !empty($errors)) {
+ $errors = array_map('htmlspecialchars', $errors);
return (new HtmlResponse('<t3err>' . implode(',', $errors) . '</t3err>'))->withStatus(500, '(AJAX)');
}
$flatResult = [];
Updated by Oliver Hader about 2 years ago
- Subject changed from VULN-002 Self-Reflected Cross-Site Scripting in Filelist Module to Properly encode error messages in FileController
Updated by Oliver Hader about 2 years ago
- Project changed from 1716 to TYPO3 Core
- Category deleted (
OW-A07: Cross Site Scripting) - Target version deleted (
public) - Reporter deleted (
Mohamad nour Almujarkesh) - OTRS-Sec Ticket-ID deleted (
2022091510000021) - Affected Version deleted (
10,11)
Updated by Gerrit Code Review about 2 years ago
- Status changed from New to Under Review
Patch set 1 for branch 11.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/76349
Updated by Gerrit Code Review about 2 years ago
Patch set 1 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/76350
Updated by Oliver Hader about 2 years ago
- Description updated (diff)
- Status changed from Under Review to New
Updated by Oliver Hader about 2 years ago
- Status changed from New to Under Review
Updated by Oliver Hader about 2 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 3a3eaceb34c5905a222d496fd44bf6374fbf6445.
Updated by Benni Mack almost 2 years ago
- Status changed from Resolved to Closed