[TYPO3-caretaker] Insecure Extension problem
Martin Ficzel
martin.ficzel at gmx.de
Fri Sep 30 09:58:34 CEST 2011
Am 27.09.11 17:43, schrieb Marc Wöhlken:
> A related problem:
> In the situation described in my previous post the caretaker fe plugin
> "caretaker abstract" outputs unescaped html code which is interpreted by
> the browser, e.g.
>
> www.domain.tld Insecure Extensions
>
> Command execution failed: Request Session Token failed:
> - HTTP-URL: http://www.domain.tld/?eID=tx_caretakerinstance&rst=1
> - HTTP-Status: 200
> - HTTP-Response: PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
>
>
> This results in a rather demolished output and could lead to XSS
> problems when your TYPO3 site got hacked.
I will think about this.
More information about the TYPO3-project-caretaker
mailing list