[TYPO3-mvc] Can forms be easily manipulated?
Chris Wolff - AERTiCKET AG
cwolff at aer.de
Fri Dec 12 14:40:17 CET 2014
Hi Jan,
such manupulations should not be possible. All forms created via the extbase formhelper contain an hidden field.
"tx_yourextensionkey_pi1[__trustedProperties]" wich contians a serialized array of properties send tot he client there is also an hash. Appended to this serialization.
Im not quite shure how the hash is generated but i would guess the typo3 encryptionKey (found in your localconfiguration is involed in this)
Therfore an attack your outlined attack vektor should not be possible until the attacker knows the encryptionKey.
Regards chris
-----Ursprüngliche Nachricht-----
Von: typo3-project-typo3v4mvc-bounces at lists.typo3.org [mailto:typo3-project-typo3v4mvc-bounces at lists.typo3.org] Im Auftrag von Jan Kornblum
Gesendet: Freitag, 12. Dezember 2014 13:48
An: typo3-project-typo3v4mvc at lists.typo3.org
Betreff: [TYPO3-mvc] Can forms be easily manipulated?
Dear newsgroup,
is it easily possible for an attacker to manipulate a form by submitting additionals fields which exist in the underlaying domain model? Would theese field be persited into the database?
For example there is a form (newAction), containing the fields "firstname" and "lastname". But the model contains additional fields like "street", "zip", "city". What happens if an attacker now manipulates the post-array by adding the field "street"?
Kind regards, Jan
_______________________________________________
TYPO3-project-typo3v4mvc mailing list
TYPO3-project-typo3v4mvc at lists.typo3.org
http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-project-typo3v4mvc
More information about the TYPO3-project-typo3v4mvc
mailing list