Affected Versions: ALL
Vulnerability Type: cross Site Scripting (XSS)
Severity: minor
Problem Description:
The "backURL" parameter is not escaped correctly. A prepared URL could
potentially contain some unwanted JavaScript code.
Solution:
IMPORTANT: It is a usual practice to customize fe_adminLib.inc and use this
file instead of the upstream version. These files will require manual
patching (see below). Search your database to find out if you are using a
user-defined file.
According to the release workflow documentation only TYPO3 4.0
is currently supported. But, since this bug is easy to be fixed in TYPO3
3.8 also, we provide an additional howto for this version below:
a) TYPO3 4.0
1. Replace the file typo3/sysext/cms/tslib/media/scripts/fe_adminLib.inc of your
source code with the attached fe_adminLib.inc
b) TYPO3 3.8
1. Replace the file fe_adminLib.inc at the following places or your
source code:
- typo3/sysext/cms/tslib/media/scripts/fe_adminLib.inc
- tslib/media/scripts/fe_adminLib.inc (only if symlinks are not used)
- media/scripts/fe_adminLib.inc (only if symlinks are not used)
Downloads
fe_adminLib.inc (no longer available)
diff for patching manually (no longer available)
Credits:Credits go to Andriu Isenring Ritsch for discovering and reporting thisissue, and to Michael Stucki, Lars Houmark and Rupert Germann for providing a patch.