Project

General

Profile

Actions
Copy link

Bug #98382

closed

Properly encode error messages in FileController

Added by Oliver Hader about 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Security
Target version:
-
Start date:
2022-09-20
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
11
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Disclaimer

This was originally reported as a vulnerability, after analyzing the scenario, the TYPO3 Security Team came to the conclusion to handle it in public. It cannot be exploited directly without knowing the backend form protection token of a particular user session.

Original Report

This has been reported as "self XSS". We simplified the mentioned PoC to a HTTP GET request, however it does not seem to be vulnerable via cross-site requests.

v11: https://example.com/typo3/ajax/file/process?token=<token>&data[newfile][0][target]=1:/&data[newfile][0][data]=<script>alert(1)</script>N0T3X15T1N6.php
v10: https://example.com/typo3/index.php?route=%2Fajax%2Ffile%2Fprocess&token=<token>&data[newfile][0][target]=1:/&data[newfile][0][data]=%3Cscript%3Ealert(1)%3C/script%3EN0T3X15T1N6.php

With the following response:

HTTP/1.1 500 (AJAX)
Date: Tue, 20 Sep 2022 10:49:35 GMT
Server: Apache/2.4.54 (Unix) OpenSSL/3.0.5 mod_fcgid/2.3.9
X-Powered-By: PHP/8.1.9
X-Frame-Options: SAMEORIGIN
Expires: 0
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Tue, 20 Sep 2022 10:49:35 GMT
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8

<t3err>Extension of file "<script>alert(1)</script>N0T3X15T1N6.php" was not allowed!</t3err>%

In TYPO3 v12 the response has been streamline to be application/json. For earlier versions it would be considered as "hardening" by encoding the HTML output. This probably can be handled in public.

diff --git a/typo3/sysext/backend/Classes/Controller/File/FileController.php b/typo3/sysext/backend/Classes/Controller/File/FileController.php
index be3db3ee5e..5242e8feeb 100644
--- a/typo3/sysext/backend/Classes/Controller/File/FileController.php
+++ b/typo3/sysext/backend/Classes/Controller/File/FileController.php
@@ -142,6 +142,7 @@ class FileController
         $includeMessages = (bool)($request->getQueryParams()['includeMessages'] ?? false);
         $errors = $this->fileProcessor->getErrorMessages();
         if (!$includeMessages && !empty($errors)) {
+            $errors = array_map('htmlspecialchars', $errors);
             return (new HtmlResponse('<t3err>' . implode(',', $errors) . '</t3err>'))->withStatus(500, '(AJAX)');
         }
         $flatResult = [];
Actions
Copy link

Also available in: Atom PDF