[SECURITY] XSS in be_layout wizard 77/26177/2
authorAnja Leichsenring <aleichsenring@ab-softlab.de>
Tue, 10 Dec 2013 09:50:48 +0000 (10:50 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 10 Dec 2013 09:50:52 +0000 (10:50 +0100)
Usage of unverified input parameters in wizard URL leads to a possible
XSS vulnerability in backend_layout wizard.
The solution is the introduction of a hmac validation of the parameters
used in JavaScript.

Change-Id: I6a9fcd43affa637fd6ac3cd08ae89212e52e6754
Fixes: #36768
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: bcc8a321517ad50bae3dec9366f76b4e886e74e9
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26177
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
t3lib/class.t3lib_tceforms.php
typo3/sysext/cms/layout/wizard_backend_layout.php

index aab205d..ec117e2 100644 (file)
@@ -4048,6 +4048,7 @@ class t3lib_TCEforms {
                                                                                // ... else types "popup", "colorbox" and "userFunc" will need additional parameters:
                                                                        $params['formName'] = $this->formName;
                                                                        $params['itemName'] = $itemName;
+                                                                       $params['hmac'] = t3lib_div::hmac($params['formName'] . $params['itemName'], 'wizard_js');
                                                                        $params['fieldChangeFunc'] = $fieldChangeFunc;
                                                                        $params['fieldChangeFuncHash'] = t3lib_div::hmac(serialize($fieldChangeFunc));
 
index fcd4a7e..ff9990f 100644 (file)
@@ -70,6 +70,11 @@ class SC_wizard_backend_layout {
                //data[layouts][2][config]
                $this->formName = $this->P['formName'];
                $this->fieldName = $this->P['itemName'];
+
+               $hmac_validate = t3lib_div::hmac($this->formName . $this->fieldName, 'wizard_js');
+               if (!$this->P['hmac'] || ($this->P['hmac'] !== $hmac_validate)) {
+                       throw new InvalidArgumentException('Hmac Validation failed for backend_layout wizard', 1385811397);
+               }
                $this->md5ID = $this->P['md5ID'];
                $uid = intval($this->P['uid']);
 
@@ -81,8 +86,8 @@ class SC_wizard_backend_layout {
                $pageRenderer->addJsFile($GLOBALS['BACK_PATH'] . TYPO3_MOD_PATH . 'res/grideditor.js');
                $pageRenderer->addJsInlineCode('storeData', '
                        function storeData(data)        {
-                               if (parent.opener && parent.opener.document && parent.opener.document.' . $this->formName . ' && parent.opener.document.' . $this->formName . '["' . $this->fieldName . '"])    {
-                                       parent.opener.document.' . $this->formName . '["' . $this->fieldName . '"].value = data;
+                               if (parent.opener && parent.opener.document && parent.opener.document.' . $this->formName . ' && parent.opener.document.' . $this->formName . '[' . t3lib_div::quoteJSvalue($this->fieldName) . '])     {
+                                       parent.opener.document.' . $this->formName . '[' . t3lib_div::quoteJSvalue($this->fieldName) . '].value = data;
                                        parent.opener.TBE_EDITOR.fieldChanged("backend_layout","' . $uid . '","config","data[backend_layout][' . $uid . '][config]");
                                }
                        }