Fixed bug #10298: Various XSS issues in the BE user admin module
authorMichael Stucki <michael.stucki@typo3.org>
Tue, 10 Feb 2009 07:51:26 +0000 (07:51 +0000)
committerMichael Stucki <michael.stucki@typo3.org>
Tue, 10 Feb 2009 07:51:26 +0000 (07:51 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@4979 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
t3lib/class.t3lib_bedisplaylog.php
typo3/alt_intro.php
typo3/alt_main.php
typo3/backend.php
typo3/sysext/beuser/mod/index.php

index dcf75b1..72871a6 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2009-02-10  Michael Stucki  <michael@typo3.org>
+
+       * Fixed bug #10298: Various XSS issues in the BE user admin module
+
 2009-02-08  Ingo Renner  <ingo@typo3.org>
 
        * Fixed bug #9861: Second page of results in list-module with ordering flaw (credits Christian Kuhn)
index 2c449e8..f20cebc 100644 (file)
@@ -145,7 +145,7 @@ class t3lib_BEDisplayLog {
                        $this->lastUserLabel=$code.'_'.$workspace;
                        $label = $this->be_user_Array[$code]['username'];
                        $ws = $this->wsArray[$workspace];
-                       return ($label ? $label : '['.$code.']').'@'.($ws?$ws:$workspace);
+                       return ($label ? htmlspecialchars($label) : '['.$code.']').'@'.($ws?$ws:$workspace);
                } else return '.';
        }
 
@@ -167,13 +167,13 @@ class t3lib_BEDisplayLog {
         * Get action label for log listing
         *
         * @param       string          Key for the action label in locallang
-        * @return      string          If labe is different from last action label then the label is returned, otherwise "."
+        * @return      string          If label is different from last action label then the label is returned, otherwise "."
         */
        function getActionLabel($code)  {
                if ($this->lastActionLabel!=$code)      {
                        $this->lastActionLabel=$code;
                        $label=$GLOBALS['LANG']->getLL('action_'.$code);
-                       return $label ? $label : '['.$code.']';
+                       return $label ? htmlspecialchars($label) : '['.$code.']';
                } else return '.';
        }
 
@@ -196,7 +196,9 @@ class t3lib_BEDisplayLog {
                                } else {
                                        list($label) = explode(',',$text);
                                }
-                               if ($label)     {$text=$label;}
+                               if ($label)     {
+                                       $text=$label;
+                               }
                                $text = sprintf($text, htmlspecialchars($data[0]),htmlspecialchars($data[1]),htmlspecialchars($data[2]),htmlspecialchars($data[3]),htmlspecialchars($data[4]));
                        } else {
                                $text = str_replace('%s','',$text);
index b5ad0ad..9b5ea60 100755 (executable)
@@ -134,8 +134,8 @@ class SC_alt_intro {
                $this->content.='<p class="c-user">'.
                                htmlspecialchars($LANG->getLL('userInfo')).
                                sprintf(' <strong>%s</strong> (%s)',
-                                               $BE_USER->user['username'],
-                                               (implode(', ',array($BE_USER->user['realName'],$BE_USER->user['email'])))
+                                               htmlspecialchars($BE_USER->user['username']),
+                                               htmlspecialchars(implode(', ',array($BE_USER->user['realName'],$BE_USER->user['email'])))
                                                ).
                                '</p>
                                <br />
index d13950f..94a48aa 100755 (executable)
@@ -185,7 +185,7 @@ class SC_alt_main {
        function typoSetup()    {       //
                this.PATH_typo3 = "'.$pt3.'";
                this.PATH_typo3_enc = "'.rawurlencode($pt3).'";
-               this.username = "'.$BE_USER->user['username'].'";
+               this.username = "'.htmlspecialchars($BE_USER->user['username']).'";
                this.uniqueID = "'.t3lib_div::shortMD5(uniqid('')).'";
                this.navFrameWidth = 0;
        }
index 5d2ce2e..b8253a0 100644 (file)
@@ -403,7 +403,7 @@ class TYPO3backend {
        function typoSetup()    {       //
                this.PATH_typo3 = "'.$pathTYPO3.'";
                this.PATH_typo3_enc = "'.rawurlencode($pathTYPO3).'";
-               this.username = "'.$GLOBALS['BE_USER']->user['username'].'";
+               this.username = "'.htmlspecialchars($GLOBALS['BE_USER']->user['username']).'";
                this.uniqueID = "'.t3lib_div::shortMD5(uniqid('')).'";
                this.navFrameWidth = 0;
                this.securityLevel = "'.$this->loginSecurityLevel.'";
index 998fa22..8c94fc8 100755 (executable)
@@ -1304,8 +1304,10 @@ class SC_mod_tools_be_user_index {
                                }
                        }
 
-                       $outTable = '<table border="0" cellpadding="1" cellspacing="1"><tr class="bgColor5"><td>'.t3lib_iconWorks::getIconImage('be_users',$tempBE_USER->user,$GLOBALS['BACK_PATH'],'class="absmiddle" title="'.$tempBE_USER->user['uid'].'"').$tempBE_USER->user['username'].'</td>';
-                       $outTable.= '<td>'.$tempBE_USER->user['realName'].($tempBE_USER->user['email'] ? ', <a href="mailto:'.$tempBE_USER->user['email'].'">'.$tempBE_USER->user['email'].'</a>' : '').'</td>';
+                       $email = htmlspecialchars($tempBE_USER->user['email']);
+                       $realname = htmlspecialchars($tempBE_USER->user['realName']);
+                       $outTable = '<table border="0" cellpadding="1" cellspacing="1"><tr class="bgColor5"><td>'.t3lib_iconWorks::getIconImage('be_users',$tempBE_USER->user,$GLOBALS['BACK_PATH'],'class="absmiddle" title="'.$tempBE_USER->user['uid'].'"').htmlspecialchars($tempBE_USER->user['username']).'</td>';
+                       $outTable.= '<td>'.($realname?$realname.', ':'').($email ? '<a href="mailto:'.$email.'">'.$email.'</a>' : '').'</td>';
                        $outTable.= '<td>'.$this->elementLinks('be_users',$tempBE_USER->user).'</td></tr></table>';
                        $outTable.= '<strong><a href="'.htmlspecialchars($this->MCONF['_']).'">' . $GLOBALS['LANG']->getLL('backToOverview', true) . '</a></strong><br />';
 
@@ -1369,7 +1371,7 @@ class SC_mod_tools_be_user_index {
                                                $comparation[$md5]=$tempBE_USER->ext_printOverview($uInfo,$compareFlags);
                                                $comparation[$md5]['users']=array();
                                        }
-                                       $comparation[$md5]['users'][]=$tempBE_USER->user;       //array('uid'=>$r['uid'],'username'=>$r['username'],'realName'=>$tempBE_USER->user['realName'],'email'=>$tempBE_USER->user['email'],'admin'=>$tempBE_USER->user['admin']);
+                                       $comparation[$md5]['users'][]=$tempBE_USER->user;
                                        unset($tempBE_USER);
                                }
                                $counter++;
@@ -1448,7 +1450,7 @@ class SC_mod_tools_be_user_index {
         * @return      string          the HTML anchor
         */
        function linkUser($str,$rec)    {
-               return '<a href="'.htmlspecialchars($this->MCONF['_']).'&be_user_uid='.$rec['uid'].'">'.$str.'</a>';
+               return '<a href="'.htmlspecialchars($this->MCONF['_']).'&be_user_uid='.$rec['uid'].'">' . htmlspecialchars($str) . '</a>';
        }