Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2014-018: Open file permissions vulnerability

Severity:
High (?)
Identifier:
SS-2014-018
Versions Affected:
3.1
Versions Fixed:
3.1.9
Release Date:
2015-01-15

The 'edit' & 'delete' actions of UploadField are accessible by unauthenticated users which allows them to alter the file ID in the URL to access any file recorded in the database.

This allows the user unrestricted access to;

This can be performed on any UploadField used on the front-end unless custom logic has been applied to the File class via a DataExtension which implements the canEdit method.

UploadField's in the admin section are also affected but can only be accessed by users who have access to the admin section and have access to an UploadField.

Workaround: 3.1.8 and older

In the immediate term user code can be patched to fix this vulnerability prior to the 3.1.9 release. The following two files should be created (and customised) as necessary.

In mysite/_config/security.yml put the following:

---
Name: filesecurity
---
File:
  extensions:
    - FileSecurityExtension

In mysite/code/FileSecurityExtension.php put the following


<?php
class FileSecurityExtension extends DataExtension {
    public function canEdit($member) {
return Permission::checkMember($member, 'CMS_ACCESS_AssetAdmin');
// Or replace with the appropriate permission code
    }
}