Closed mikestreety closed 3 years ago
In first short test I could not reproduce this. I tested in the current version (master branch of today) and in version 3.4.1 (both TYPO3 10.4.14). I tested with and without routing / speaking URLs activated.
When I add your example query parameter to the search page like this
/search?tx_kesearch_pi1%5Bsword%5D=1');alert('pow
the whole query is treated as a search query which results in
Are you sure this is a ke_search issue? Maybe this issue is in your override template?
Please note that security issues should be reported to the TYPO3 security team: https://typo3.org/community/teams/security/extension-security-policy
Thanks for the super quick response. It may well be a conflict with some configuration our end.
Out of interest, if you view source on that page with the screenshot s search for the history.replaceState
script block, what does it look like?
It looks like this:
<form method="get" id="form_kesearch_pi1" name="form_kesearch_pi1" action="/search">
<script>history.replaceState(null,'','/search?tx_kesearch_pi1%5Bsword%5D=1%27%29%3Balert%28%27pow&cHash=46d1b315314efd0b11d2dd1d74c4ebb9');</script>
[...]
Ah yes, so that encoding of the semi-colon and the quotes is not happening my side.
Thanks for the assistance & patience. I'll close this issue for now and upgrade next week to see if that solves (if not, I will assume it is something my end).
Thanks again.
Hello,
Background
I am currently on version 3.4.2 due to conflicts with the aforementioned
tt_news
indexer I've not had time to look at yet - seems to have been a busy month for me.We have just had a pen test run on one of our sites and a Cross-Site-Scripting (XSS) issue was raised. I'm currently in the process of deploying a "fix" to our site, so apologies if this has been fixed/mentioned elsewhere.
We are not using the Site config and our search doesn't have "pretty" URLs which, because of the
history.replaceState
in the Template is open to XSS.Example
This line here: https://github.com/teaminmedias-pluswerk/ke_search/blob/master/Resources/Private/Templates/SearchForm.html#L14
Seems to spit out the URL as is, which means if your URL has this at the end:
The alert is triggered:
This is obviously a mild example, but it could potentially have dangerous consequences - especially as it lets you render text on the page
As a quick/hotfix i've removed that script line from my template override. I've not looked into the code or anything for this - will try and have a poke around next week if it helps.
👍