Component Type: TYPO3 Core
Affected Versions: < TYPO3 4.0.3 (IMPORTANT: customized version still need manual correction)
Vulnerability Type: cross Site Scripting (XSS)
Severity: minor
Problem Description:
The "backURL" parameter is not escaped correctly. A prepared URL could
potentially contain some unwanted JavaScript code.
Solution:
IMPORTANT: It is a usual practice to customize fe_adminLib.inc and use this
file instead of the upstream version. These files will require manual
patching (see below). Search your database to find out if you are using a
user-defined file.
A fixed version of fe_adminLib.inc is included in TYPO3 4.0.3 and later.
According to the release workflow documentation only TYPO3 4.0
is currently supported. But, since this bug is easy to be fixed in TYPO3
3.8 also, we provide an additional howto for this version below:
a) TYPO3 4.0
1. Replace the file typo3/sysext/cms/tslib/media/scripts/fe_adminLib.inc of your
source code with the attached fe_adminLib.inc
b) TYPO3 3.8
1. Replace the file fe_adminLib.inc at the following places or your
source code:
- typo3/sysext/cms/tslib/media/scripts/fe_adminLib.inc
- tslib/media/scripts/fe_adminLib.inc (only if symlinks are not used)
- media/scripts/fe_adminLib.inc (only if symlinks are not used)
Downloads
fe_adminLib.inc
<media 801 - download>diff for patching manually</media>
Credits:
Credits go to Andriu Isenring Ritsch for discovering and reporting this
issue, and to Michael Stucki, Lars Houmark and Rupert Germann for providing a patch.