[SECURITY] Fix several cross-site scripting flaws #1
Conversation
| @@ -1109,6 +1109,9 @@ protected function init() | |||
|
|
|||
| $this->gp = $this->utilityFuncs->getMergedGP(); | |||
|
|
|||
| if (!$this->settings['uniqueFormID']) { | |||
There was a problem hiding this comment.
If I understand this correctly, if 'uniqueFormID' is set, we have the same issue.
So removing this if statement?
There was a problem hiding this comment.
Maybe move the preg_replace to line 1120 and sanitize $randomID unconditionally.
| @@ -439,39 +439,39 @@ protected function fillDefaultMarkers() | |||
| } | |||
| $markers['###HIDDEN_FIELDS###'] = ' | |||
| <input type="hidden" name="id" value="' . $GLOBALS['TSFE']->id . '" /> | |||
| <input type="hidden" name="' . $name . '" value="1" /> | |||
| <input type="hidden" name="' . htmlspecialchars($name) . '" value="1" /> | |||
There was a problem hiding this comment.
Why hsc this? FormValuesPrefix is a formhandler setting and isn't influenced by post/get vars?
There was a problem hiding this comment.
Maybe @reinhardfuehricht can explain this. In some other places $name isn't getting escaped currently.
| @@ -1109,6 +1109,9 @@ protected function init() | |||
|
|
|||
| $this->gp = $this->utilityFuncs->getMergedGP(); | |||
|
|
|||
| if (!$this->settings['uniqueFormID']) { | |||
| $this->gp['randomID'] = preg_replace('/[^0-9a-z]/', '', preg_quote($this->gp['randomID'])); | |||
There was a problem hiding this comment.
I know it is deprecated, obsolete and unmaintained but would a backport fix of v.2.4.1 to the Formhandler v2.0.2 (last one available for T3 6.2ELTS) be to "preg_replace / quote" and "htmlspecialchars" the same lines in the corresponding files in the older version?
formhandler_2.0.2\Classes\Controller\Tx_Formhandler_Controller_Form.php
and
formhandler_2.0.2\Classes\View\Tx_Formhandler_View_Form.php
There was a problem hiding this comment.
Formhandler 2.0.2 released to TER should have them inside, or take a look by AoE https://github.com/AOEpeople/formhandler
There was a problem hiding this comment.
Yeah that's 2.0.2 but the old version with no fixes (like htmlspecialchars($name)) inside.
There was a problem hiding this comment.
Then check the forks ( https://github.com/KaffDaddy/formhandler )
There was a problem hiding this comment.
Thanks opi99 for that one. That's at least exactly what I have done:
https://github.com/KaffDaddy/formhandler/commit/366e728b81d2a7c9c83bb29e8522a8eab736df33
So it seems that is best one can do on a 6.2ELTS release.
Also thanks tyll for discovering it 1year ago.
|
FYI: Unfortunately I do not have the time to take deeper looks into this issue. |
|
It's not complete but merging |
Advisory: https://www.redteam-pentesting.de/advisories/rt-sa-2016-007
The advisory is not yet public, but it is scheduled to be released soon.