[SECURITY] XSS in be_layout wizard 19/26219/2
authorAnja Leichsenring <aleichsenring@ab-softlab.de>
Tue, 10 Dec 2013 09:54:39 +0000 (10:54 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 10 Dec 2013 09:54:46 +0000 (10:54 +0100)
Usage of unverified input parameters in wizard URL leads to a possible
XSS vulnerability in backend_layout wizard.
The solution is the introduction of a hmac validation of the parameters
used in JavaScript.

Change-Id: I48f89309fc062d132e283d4fd9179ccbfdcfda4c
Fixes: #36768
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: a3ac48f5d66c566d241295d87cc8d7eb4d10c274
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26219
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/backend/Classes/Controller/BackendLayoutWizardController.php
typo3/sysext/backend/Classes/Form/FormEngine.php

index ff84fd4..0b3d410 100644 (file)
@@ -69,6 +69,10 @@ class BackendLayoutWizardController {
                $this->P = GeneralUtility::_GP('P');
                $this->formName = $this->P['formName'];
                $this->fieldName = $this->P['itemName'];
+               $hmac_validate = GeneralUtility::hmac($this->formName . $this->fieldName, 'wizard_js');
+               if (!$this->P['hmac'] || ($this->P['hmac'] !== $hmac_validate)) {
+                       throw new \InvalidArgumentException('Hmac Validation failed for backend_layout wizard', 1385811397);
+               }
                $this->md5ID = $this->P['md5ID'];
                $uid = intval($this->P['uid']);
                // Initialize document object:
@@ -78,8 +82,8 @@ class BackendLayoutWizardController {
                $pageRenderer->addJsFile($GLOBALS['BACK_PATH'] . TYPO3_MOD_PATH . 'res/grideditor.js');
                $pageRenderer->addJsInlineCode('storeData', '
                        function storeData(data) {
-                               if (parent.opener && parent.opener.document && parent.opener.document.' . $this->formName . ' && parent.opener.document.' . $this->formName . '["' . $this->fieldName . '"]) {
-                                       parent.opener.document.' . $this->formName . '["' . $this->fieldName . '"].value = data;
+                               if (parent.opener && parent.opener.document && parent.opener.document.' . $this->formName . ' && parent.opener.document.' . $this->formName . '[' . GeneralUtility::quoteJSvalue($this->fieldName) . ']) {
+                                       parent.opener.document.' . $this->formName . '[' . GeneralUtility::quoteJSvalue($this->fieldName) . '].value = data;
                                        parent.opener.TBE_EDITOR.fieldChanged("backend_layout","' . $uid . '","config","data[backend_layout][' . $uid . '][config]");
                                }
                        }
index 3fda742..cffda6b 100644 (file)
@@ -4150,6 +4150,7 @@ TBE_EDITOR.customEvalFunctions[\'' . $evalData . '\'] = function(value) {
                                                                        // ... else types "popup", "colorbox" and "userFunc" will need additional parameters:
                                                                        $params['formName'] = $this->formName;
                                                                        $params['itemName'] = $itemName;
+                                                                       $params['hmac'] = GeneralUtility::hmac($params['formName'] . $params['itemName'], 'wizard_js');
                                                                        $params['fieldChangeFunc'] = $fieldChangeFunc;
                                                                        $params['fieldChangeFuncHash'] = GeneralUtility::hmac(serialize($fieldChangeFunc));
                                                                        switch ((string) $wConf['type']) {