[TYPO3-team-templavoila] FYI48: #13157: cm2 has no back functionality if returnUrl is given
Dmitry Dulepov
dmitry.dulepov at gmail.com
Wed Jan 6 19:32:16 CET 2010
Hi!
On 06/01/2010 20:30, Dmitry Dulepov wrote:
> It seems that there is a security issue with this patch. There is a
> comment about in the bug tracker. It adds XSS vulnerability to TemplaVoila.
I would actually say it is a remote file inclusion because returnUrl is not validated to belong to the current site. This has to be checked. If it was not checked before, we should be more aware of it now.
--
Dmitry Dulepov
"Trust me, I am a doctor!" (c) Gregory House, M.D.
More information about the TYPO3-team-templavoila
mailing list