From 5eae4a875b66c7dda6e53e75d34fe126b9ed55fd Mon Sep 17 00:00:00 2001
From: Anja Leichsenring <aleichsenring@ab-softlab.de>
Date: Tue, 10 Dec 2013 10:54:39 +0100
Subject: [PATCH] [SECURITY] XSS in be_layout wizard

Usage of unverified input parameters in wizard URL leads to a possible
XSS vulnerability in backend_layout wizard.
The solution is the introduction of a hmac validation of the parameters
used in JavaScript.

Change-Id: I48f89309fc062d132e283d4fd9179ccbfdcfda4c
Fixes: #36768
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: a3ac48f5d66c566d241295d87cc8d7eb4d10c274
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26219
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
---
 .../Classes/Controller/BackendLayoutWizardController.php  | 8 ++++++--
 typo3/sysext/backend/Classes/Form/FormEngine.php          | 1 +
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/typo3/sysext/backend/Classes/Controller/BackendLayoutWizardController.php b/typo3/sysext/backend/Classes/Controller/BackendLayoutWizardController.php
index ff84fd493bf2..0b3d410598f5 100644
--- a/typo3/sysext/backend/Classes/Controller/BackendLayoutWizardController.php
+++ b/typo3/sysext/backend/Classes/Controller/BackendLayoutWizardController.php
@@ -69,6 +69,10 @@ class BackendLayoutWizardController {
 		$this->P = GeneralUtility::_GP('P');
 		$this->formName = $this->P['formName'];
 		$this->fieldName = $this->P['itemName'];
+		$hmac_validate = GeneralUtility::hmac($this->formName . $this->fieldName, 'wizard_js');
+		if (!$this->P['hmac'] || ($this->P['hmac'] !== $hmac_validate)) {
+			throw new \InvalidArgumentException('Hmac Validation failed for backend_layout wizard', 1385811397);
+		}
 		$this->md5ID = $this->P['md5ID'];
 		$uid = intval($this->P['uid']);
 		// Initialize document object:
@@ -78,8 +82,8 @@ class BackendLayoutWizardController {
 		$pageRenderer->addJsFile($GLOBALS['BACK_PATH'] . TYPO3_MOD_PATH . 'res/grideditor.js');
 		$pageRenderer->addJsInlineCode('storeData', '
 			function storeData(data) {
-				if (parent.opener && parent.opener.document && parent.opener.document.' . $this->formName . ' && parent.opener.document.' . $this->formName . '["' . $this->fieldName . '"]) {
-					parent.opener.document.' . $this->formName . '["' . $this->fieldName . '"].value = data;
+				if (parent.opener && parent.opener.document && parent.opener.document.' . $this->formName . ' && parent.opener.document.' . $this->formName . '[' . GeneralUtility::quoteJSvalue($this->fieldName) . ']) {
+					parent.opener.document.' . $this->formName . '[' . GeneralUtility::quoteJSvalue($this->fieldName) . '].value = data;
 					parent.opener.TBE_EDITOR.fieldChanged("backend_layout","' . $uid . '","config","data[backend_layout][' . $uid . '][config]");
 				}
 			}
diff --git a/typo3/sysext/backend/Classes/Form/FormEngine.php b/typo3/sysext/backend/Classes/Form/FormEngine.php
index 3fda742dc659..cffda6b42d8a 100644
--- a/typo3/sysext/backend/Classes/Form/FormEngine.php
+++ b/typo3/sysext/backend/Classes/Form/FormEngine.php
@@ -4150,6 +4150,7 @@ TBE_EDITOR.customEvalFunctions[\'' . $evalData . '\'] = function(value) {
 									// ... else types "popup", "colorbox" and "userFunc" will need additional parameters:
 									$params['formName'] = $this->formName;
 									$params['itemName'] = $itemName;
+									$params['hmac'] = GeneralUtility::hmac($params['formName'] . $params['itemName'], 'wizard_js');
 									$params['fieldChangeFunc'] = $fieldChangeFunc;
 									$params['fieldChangeFuncHash'] = GeneralUtility::hmac(serialize($fieldChangeFunc));
 									switch ((string) $wConf['type']) {
-- 
GitLab