[TYPO3-dev] config.baseURL, lt_basetag and security
Ernesto Baschny [cron IT]
ernst at cron-it.de
Fri Sep 25 16:20:09 CEST 2009
Marc Wöhlken schrieb:
> In earlier TYPO3 versions (< 4.0?) it was possible to use config.baseURL
> = 1 to let TYPO3 determine the correct current base url.
>
> AFAIK this feature had been disabled for security reasons (XSS?).
>
> Yesterday I stumbled over an extension called lt_basetag which does
> exactly what the above mentioned option did.
>
> Is this of concern when thinking in terms of security? Could someone
> possibly explain why the "old" approach was not safe?
The old approach relied on the $_SERVER["HTTP_HOST"] variable, which
under certain circumnstances can be manipulated "at will" by an attacker.
This circumnstances are for example when IP-Based VirtualHosting is
applied (one IP hosts one singe TYPO3 installation) so the webserver
(Apache) doesn't check or interprets the provider "Host:" from the GET
requests, but still transfers it to the $_SERVER in PHP variable.
So the attacker could call:
telnet ip-address 80
...
GET / HTTP/1.0
Host: www.yahoo.com
This will be answered by TYPO3, and if baseURL=1 the "www.yahoo.com"
will be placed in the "base href" header. And if the page was not in
cache before, it will be *cached* in that way!
So any further client accessing this page after that will get a bogus
base href. In case of www.yahoo.com he will get lots of "file not found"
and CSS bugs, but in case of an malicious attacker, he could provide all
relevant files so that the user doesn't even notice it, but then, after
the next click, will be directed to the attacker website (or even login
via POST will also submit the username+password to the attackers server).
This extension is "bad" in that it doesn't really warn the user about
this ramnifications.
Cheers,
Ernesto
More information about the TYPO3-dev
mailing list