what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

TYPO3 6.2.19 / 7.6.4 RemoveXSS.php Filter Bypass

TYPO3 6.2.19 / 7.6.4 RemoveXSS.php Filter Bypass
Posted May 19, 2016
Authored by Mandy van Oosterhou

TYPO3 versions 6.2.19 and below and 7.6.4 and below suffer from a cross site scripting filter bypass vulnerability.

tags | exploit, xss, bypass
SHA-256 | 074a8b7081e6012807149a3a08eae83a45695bd2a613d575b6326428f2509193

TYPO3 6.2.19 / 7.6.4 RemoveXSS.php Filter Bypass

Change Mirror Download
Madison Gurkha Security Advisory

Advisory: TYPO3 circumvent RemoveXSS.php cross site scripting using BASE64 encoding

1. DETAILS
----------
Product: Typo3 CMS
Vendor URL: typo3.org
Type: Cross-site Scripting[CWE-79]
Date found: 2016-03-09
Date published: 2016-05-19

2. AFFECTED VERSIONS
--------------------
Typo3 6.2.19 and below
Typo3 7.6.4 and below
and other older versions may be affected too.
Until the removal of the RemoveXSS.php function, versions will be affected.

3. VULNERABILITY DETAILS
------------------------
The filter (RemoveXSS.php) to prevent XSS attacks when using the TYPO3
framework can be circumvented.
The filter is based on a blacklist method which specifies the actions
that are not allowed. It is not recommended to implement security based
on blacklisting methods. Proper input validation and output escaping (in
the proper context) should be a sufficient measure against XSS attacks.

According to the filter it is allowed to add special characters like
"/><. These characters make it possible to create a reflected XSS attack
in a HTML5 type response.

Inserting the following BASE64 encoded string results in a reflected XSS
vulnerability:

"/><a
href="data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+">Click!</a>

This vulnerability is discovered while testing the LTS versions 7.6.4
and 6.2.19.

Note that only applications that use this function will be affected.

4. SECURITY RISK
----------------
An attacker is able to prepare a URL which, when requested by the victim,
causes JavaScript under control of the attacker to be executed in the context
of the browser of the victim. For example an attacker can steal (session) cookies
or attack the browser and its components.

5. SOLUTION
-----------
Do not use the RemoveXSS.php functionality.
Instead of creating a blacklist use whitelisting to prevent XSS.
Also whenever user input is included in (X)HTML documents,
meta-characters need to be escaped (depending on the context).

In HTML elements, this means that the characters <, >, and & need to be
escaped, by replacing them by the strings <, > and & respectively.
In values of attributes, depending on the type of quotes used,
the character ’ or " needs to be replaced by &#x27; (in XHTML ' may be used)
or " respectively.
There is no harm in always escaping both.

In JavaScript string literals the characters ’ or " (depending on the
type of quotes used) need to be replaced by respectively \’ or \".
There is no harm in always escaping both.
Also, the characters \, line feed, carriage return, line separator and
paragraph separator need to be replaced by respectively \\, \n, \r, \u2028 and \u2029.

Validate user input, making sure that only suitable characters are
accepted based on whitelisting.

6. REPORT TIMELINE
------------------
2016-04-19: Vulnerability discovered
2016-04-21: Vendor notified
2016-04-26: Vendor acknowledges the vulnerability
2016-05-18: Vendor permission for disclosure


7. REFERENCES / CREDITS
-----------------------
This vulnerability was discovered and researched by Mandy van Oosterhout from
Madison Gurkha.


Madison Gurkha
--------------
Madison Gurkha supports organizations with high quality services to efficiently identify,
mitigate and prevent IT security risks.
For more information visit http://madison-gurkha.com/.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close