[TYPO3-core] RFC #15227: Bug: class.tslib_content.php returns unfiltered data

Mon Jul 26 10:15:10 CEST 2010

Hi Dmitry,
Hi Jigal,

Am 26.07.2010 um 10:00 schrieb Dmitry Dulepov:

> Hi!
> 
> Roland Schenke wrote:
>> This exploit might be trivial
> 
> Did you contact the security team before posting security related issue
> here and making it public? I guess you didn't, which is quite bad :(
> 
> security at typo3.org is the right place to send these issues to.

of course I did. It has ticket id #2010072010000028.
I pasted the Security Team's response below this reply.

@Jigal Should I update my patch, test it with your regex pattern and resubmit it?

Thanks for your time.
Roland

Response of TYPO3 Security Team:

----
Dear Roland Schenke,

this e-mail is sent to you on behalf of the TYPO3 Security Team.

Thank you for notifying us about your findings.

Roland Schenke <helmut at typo3.org> wrote:

> today when I was trying to understand the functioning of typo3/sysext/ 
> cms/tslib/class.tslib_content.php I might have found something that  
> could be used as an XSS vector.
> I want to point out that I do not know if the following can be used to  
> do any harm to users, vistors, etc. or if it is just some old not  
> perfect written code.
> 
> I am quite confident that this is not intended behavior and to let the  
> sleeping dogs lie I did not file it to the bugtracker yet.
> 
> typo3/sysext/cms/tslib/class.tslib_content.php
> Version: current SVN trunk
> 
> In function class.tslib_content.php::MULTIMEDIA() one has the ability  
> to specify height and width parameters for such objects via Typoscript.
> In Lines 2632, 2633 and 2639, 2640 these values are assigned  
> unfiltered to html attributes which are part of the <embed> tag that  
> is used to embed the defined Object like Movies, Flash Applications or  
> JAVA Class Files.
> 
> Using the following TypoScript I was able to draw a dotted red border  
> around the <embed> tag.
> 
> # Default PAGE object:
> page = PAGE
> page.10 = MULTIMEDIA
> page.10.file = fileadmin/sample1.mpg
> page.10.width = 640" style="border: 3px dotted red;
> page.10.height = 480
> 
> This exploit might be trivial but I'm quite sure it is not intended  
> nor expected.
> The following patch should remove this as it seems that integer is the  
> desired data type.

I do not consider this as a critical issue because it can only be exploited if

an admin sets such things in Typoscript. As an admin as well as extension
programmer you are responsible for writing secure code and secure Typoscript.

If you have control over Typoscript you can easily write things like:

page.10 = TEXT
page.10.data = GP:myvar

which of course should be avoided.

However in the case you found (XSS) problems could easily be avoided, like you

suggested. Please feel free to add a bugreport on bugs.typo3.org and attach
your patch to the report. Additionally you could write a RFC for the core
list, so this will be fixed in future versions of TYPO3.

Thanks again for your report. If you find other or similar things please do
not hesitate to contact us again.

Regards,

Helmut Hummel
Member of the TYPO3 Security Team

--
TYPO3 Security Team homepage: http://typo3.org/teams/security/

E-Mail: security at typo3.org

Please note: When replying to this e-mail, please leave the header intact.
----
End of reply of TYPO3 Security Team

--
Mit freundlichen Grüßen / Best regards

Roland Schenke
Forschung und Entwicklung

K & L Internet Service
Kruse & Lenz GbR - Vrestorfer Weg 5 - 21339 Lüneburg

Fon    : 0176 / 46534665
E-Mail : info at kruselenz.com
Web    : www.kruselenz.com

*** Internetauftritte * CMS * Webshops * Hosting * Grafik *** 