Project

General

Profile

Bug #98382

Updated by Oliver Hader about 2 years ago

This has been reported as "self XSS" (see attached PDF document). We simplified the mentioned PoC to a @HTTP GET@ request, however it does not seem to be vulnerable via cross-site requests. 

 <pre> 
 https://example.com/typo3/ajax/file/process?token=<token>&data[newfile][0][target]=1:/&data[newfile][0][data]=<script>alert(1)</script>N0T3X15T1N6.php 
 </pre> 

 With the following response: 

 <pre> 
 HTTP/1.1 500 (AJAX) 
 Date: Tue, 20 Sep 2022 10:49:35 GMT 
 Server: Apache/2.4.54 (Unix) OpenSSL/3.0.5 mod_fcgid/2.3.9 
 X-Powered-By: PHP/8.1.9 
 X-Frame-Options: SAMEORIGIN 
 Expires: 0 
 Cache-Control: no-cache, must-revalidate 
 Pragma: no-cache 
 Last-Modified: Tue, 20 Sep 2022 10:49:35 GMT 
 Connection: close 
 Transfer-Encoding: chunked 
 Content-Type: text/html; charset=utf-8 

 <t3err>Extension of file "<script>alert(1)</script>N0T3X15T1N6.php" was not allowed!</t3err>% 
 </pre> 

 In TYPO3 v12 the response has been streamline to be @application/json@. For earlier versions it would be considered as "hardening" by encoding the HTML output. This probably can be handled in public. 

 <pre> 
 diff --git a/typo3/sysext/backend/Classes/Controller/File/FileController.php b/typo3/sysext/backend/Classes/Controller/File/FileController.php 
 index be3db3ee5e..5242e8feeb 100644 
 --- a/typo3/sysext/backend/Classes/Controller/File/FileController.php 
 +++ b/typo3/sysext/backend/Classes/Controller/File/FileController.php 
 @@ -142,6 +142,7 @@ class FileController 
          $includeMessages = (bool)($request->getQueryParams()['includeMessages'] ?? false); 
          $errors = $this->fileProcessor->getErrorMessages(); 
          if (!$includeMessages && !empty($errors)) { 
 +              $errors = array_map('htmlspecialchars', $errors); 
              return (new HtmlResponse('<t3err>' . implode(',', $errors) . '</t3err>'))->withStatus(500, '(AJAX)'); 
          } 
          $flatResult = []; 
 </pre>

Back