[SECURITY] Prevent XSS with fe_users data in felogin/TSFE 86/59086/2
authorBenni Mack <benni@typo3.org>
Tue, 11 Dec 2018 09:55:17 +0000 (10:55 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 11 Dec 2018 09:55:19 +0000 (10:55 +0100)
commit373bec5d7d415f0764ebbadc7970610dc26da068
tree5a5aaef868a1e67457e00c035dbe1bd8fbfd0930
parent89a38ad0ef9411745954f53f29bea5b8ce81cd32
[SECURITY] Prevent XSS with fe_users data in felogin/TSFE

Two occurrences allow to render data of the currently logged in
frontend user that is not sanitized and thus allow XSS attacks
by frontend users.

1. EXT:fe_login adds ###FEUSER_{fieldname}### for each
field that exists in the fe_users DB table, which CAN be processed
by TypoScript but is insecure by default.

2. config.USERNAME_substToken = <!--###USERNAME###-->
sets the username dynamically, which is then insecure.

Adding htmlspecialchars as a default configuration
solves this problem.

Resolves: #87053
Releases: master, 8.7, 7.6
Security-Commit: 7f7a326fc656360ffec71415d730e40df99d63a0
Security-Bulletin: TYPO3-CORE-SA-2018-008
Change-Id: I973e350b727d20d137dd70f755913d02e8f5644e
Reviewed-on: https://review.typo3.org/59086
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/felogin/Classes/Controller/FrontendLoginController.php
typo3/sysext/felogin/Tests/Unit/Controller/FrontendLoginControllerTest.php
typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php