Bug #19523

Updated by Helmut Hummel over 2 years ago

The redirect_url parameter in felogin extension is not filtered by htmlspecialchars.



I have test this on a fresh installed Tzpo3 4.2.2 without anz third partz extensions.
Simple create a loginform and call the login page e.g with this url:

http://www.somedomain.tld/index.php?id=login&redirect_url=%22%3e%3cSCRIPT%3ealert('Paros')%3c/SCRIPT%3e%3cspan%20%22

"login" is the alias of the login page

Note: In some cases the server configuration can prevent this isue.

(issue imported from #M9673)

Back