[SECURITY] Prevent XSS with fe_users data in felogin/TSFE 02/59102/2
authorBenni Mack <benni@typo3.org>
Tue, 11 Dec 2018 09:57:11 +0000 (10:57 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 11 Dec 2018 09:57:13 +0000 (10:57 +0100)
commit1c85fe70269e2ff8ecf0b6d5f16550c6cd0ddc78
tree0f62984f1658f71645c01c82b882d7a1071064d0
parent02cd5c97228cba477d16c68e28309ce25c433ce9
[SECURITY] Prevent XSS with fe_users data in felogin/TSFE

Two occurrences allow to render data of the currently logged in
frontend user that is not sanitized and thus allow XSS attacks
by frontend users.

1. EXT:fe_login adds ###FEUSER_{fieldname}### for each
field that exists in the fe_users DB table, which CAN be processed
by TypoScript but is insecure by default.

2. config.USERNAME_substToken = <!--###USERNAME###-->
sets the username dynamically, which is then insecure.

Adding htmlspecialchars as a default configuration
solves this problem.

Resolves: #87053
Releases: master, 8.7, 7.6
Security-Commit: 1cc57f4aa7dfb5b1e3e4db581c57aacd69dd4d9d
Security-Bulletin: TYPO3-CORE-SA-2018-008
Change-Id: I72a1a4ea60f23c81016b87cbbd1ba63161c52df0
Reviewed-on: https://review.typo3.org/59102
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/felogin/Classes/Controller/FrontendLoginController.php
typo3/sysext/felogin/Tests/Unit/Controller/FrontendLoginControllerTest.php
typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php