TYPO3-20061010-1: Cross-Site Scripting in fe_adminLib.inc

A problem has been discovered with fe_adminLib.inc bein vulnerable for Cross-Site Scripting (XSS)

Component Type: TYPO3 Core

Affected Versions: < TYPO3 4.0.3 (IMPORTANT: customized version still need manual correction)

Vulnerability Type: cross Site Scripting (XSS)

Severity: minor

Problem Description:

The "backURL" parameter is not escaped correctly. A prepared URL could
potentially contain some unwanted JavaScript code.


IMPORTANT: It is a usual practice to customize fe_adminLib.inc and use this
file instead of the upstream version. These files will require manual
patching (see below). Search your database to find out if you are using a
user-defined file.

A fixed version of fe_adminLib.inc is included in TYPO3 4.0.3 and later.

According to the release workflow documentation  only TYPO3 4.0
is currently supported. But, since this bug is easy to be fixed in TYPO3
3.8 also, we provide an additional howto for this version below:

a) TYPO3 4.0
   1. Replace the file typo3/sysext/cms/tslib/media/scripts/fe_adminLib.inc of your
      source code with the attached fe_adminLib.inc

b) TYPO3 3.8
   1. Replace the file fe_adminLib.inc at the following places or your
      source code:
      - typo3/sysext/cms/tslib/media/scripts/fe_adminLib.inc
      - tslib/media/scripts/fe_adminLib.inc (only if symlinks are not used)
      - media/scripts/fe_adminLib.inc (only if symlinks are not used)



<media 801 - download>diff for patching manually</media>

Credits go to Andriu Isenring Ritsch for discovering and reporting this
issue, and to Michael Stucki, Lars Houmark and Rupert Germann for providing a patch.