[SECURITY] Prevent XSS with fe_users data in felogin/TSFE 94/59094/2
authorBenni Mack <benni@typo3.org>
Tue, 11 Dec 2018 09:56:17 +0000 (10:56 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 11 Dec 2018 09:56:19 +0000 (10:56 +0100)
commite4143195e1451630f058a58ab62d92135948a927
tree45d855a4f1b8bbd0e8eb8f34f5f6eaad356a2f01
parentc35646c3f7795a4a7b0046a88f146b490fa4883c
[SECURITY] Prevent XSS with fe_users data in felogin/TSFE

Two occurrences allow to render data of the currently logged in
frontend user that is not sanitized and thus allow XSS attacks
by frontend users.

1. EXT:fe_login adds ###FEUSER_{fieldname}### for each
field that exists in the fe_users DB table, which CAN be processed
by TypoScript but is insecure by default.

2. config.USERNAME_substToken = <!--###USERNAME###-->
sets the username dynamically, which is then insecure.

Adding htmlspecialchars as a default configuration
solves this problem.

Resolves: #87053
Releases: master, 8.7, 7.6
Security-Commit: 3ef6a5c97381742eb6699923e9ed44224ab1e72e
Security-Bulletin: TYPO3-CORE-SA-2018-008
Change-Id: Ic0a48a36d1e5b394b6e829c5e209bdd2321b654e
Reviewed-on: https://review.typo3.org/59094
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/felogin/Classes/Controller/FrontendLoginController.php
typo3/sysext/felogin/Tests/Unit/Controller/FrontendLoginControllerTest.php
typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php