SECURITY-BULLETIN-TYPO3-20061010-1-FE-ADMINLIBINC: Security Bulletin TYPO3-20061010-1: fe_adminLib.inc

Categories: Security Created by Michael Hirdes
A Cross-Site-Scripting (XSS) problem has been discovered in fe_adminLib.inc

Affected Versions: ALL

Vulnerability Type: cross Site Scripting (XSS)

Severity: minor

Problem Description:

The "backURL" parameter is not escaped correctly. A prepared URL could
potentially contain some unwanted JavaScript code.


Solution:

IMPORTANT: It is a usual practice to customize fe_adminLib.inc and use this
file instead of the upstream version. These files will require manual
patching (see below). Search your database to find out if you are using a
user-defined file.

According to the release workflow documentation  only TYPO3 4.0
is currently supported. But, since this bug is easy to be fixed in TYPO3
3.8 also, we provide an additional howto for this version below:

a) TYPO3 4.0
   1. Replace the file typo3/sysext/cms/tslib/media/scripts/fe_adminLib.inc of your
      source code with the attached fe_adminLib.inc

b) TYPO3 3.8
   1. Replace the file fe_adminLib.inc at the following places or your
      source code:
      - typo3/sysext/cms/tslib/media/scripts/fe_adminLib.inc
      - tslib/media/scripts/fe_adminLib.inc (only if symlinks are not used)
      - media/scripts/fe_adminLib.inc (only if symlinks are not used)

Downloads

fe_adminLib.inc (no longer available)

diff for patching manually  (no longer available)

Credits:Credits go to Andriu Isenring Ritsch for discovering and reporting thisissue, and to Michael Stucki, Lars Houmark and Rupert Germann for providing a patch.