Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2014-003: ExtraMeta allows JavaScript for malicious CMS authors

The CMS allows specifying custom HTML to be placed in the <head> section of a specific page (through the SiteTree.ExtraMeta property). The main intention is to add <meta> tags further describing the content present. Since the accepted format is HTML, any content can be inserted by CMS authors, including <script> tags containing inline JavaScript or external sources. In order to exploit this issue, you need to have CMS access in the first place. Other potential weaknesses like transient cross-site scripting (XSS) through malicious links can abuse the CMS author login status, and transform attacks a persistent XSS issue.

While there is no known vector to exploit this without a valid CMS login, the core team feels its safest to whitelist the tags allowed in the ExtraMeta property, defaulting to <link> and <meta> only. This means existing projects with page-specific <script> tags will need to have these tags moved into SilverStripe templates. Alternatively, you can add a new HTMLText $db property in your Page class definition (suggested name: $HeaderScripts).

This whitelist will not apply to existing data in the SiteTree.ExtraMeta column on existing pages. In order to ensure no exploit has already been persisted, and check if you need to move <script> tags to templates, we suggest you search this column in your project database:
SELECT * FROM "SiteTree" WHERE "SiteTree"."ExtraMeta" LIKE '%<script%'
SELECT * FROM "SiteTree_Live" WHERE "SiteTree"."ExtraMeta" LIKE '%<script%'

Download CMS patch for 3.1 | Download framework patch for 3.1

Thanks to Daniel Hensby for reporting.

Severity:
Low (?)
Identifier:
SS-2014-003
Versions Affected:
3.0.8, 3.1.2 and all earlier versions
Versions Fixed:
3.1.3
Release Date:
2014-02-19

The CMS allows specifying custom HTML to be placed in the <head> section of a specific page (through the SiteTree.ExtraMeta property). The main intention is to add <meta> tags further describing the content present. Since the accepted format is HTML, any content can be inserted by CMS authors, including <script> tags containing inline JavaScript or external sources. In order to exploit this issue, you need to have CMS access in the first place. Other potential weaknesses like transient cross-site scripting (XSS) through malicious links can abuse the CMS author login status, and transform attacks a persistent XSS issue.

While there is no known vector to exploit this without a valid CMS login, the core team feels its safest to whitelist the tags allowed in the ExtraMeta property, defaulting to <link> and <meta> only. This means existing projects with page-specific <script> tags will need to have these tags moved into SilverStripe templates. Alternatively, you can add a new HTMLText $db property in your Page class definition (suggested name: $HeaderScripts).

This whitelist will not apply to existing data in the SiteTree.ExtraMeta column on existing pages. In order to ensure no exploit has already been persisted, and check if you need to move <script> tags to templates, we suggest you search this column in your project database:
SELECT * FROM "SiteTree" WHERE "SiteTree"."ExtraMeta" LIKE '%<script%'
SELECT * FROM "SiteTree_Live" WHERE "SiteTree"."ExtraMeta" LIKE '%<script%'

Download CMS patch for 3.1 | Download framework patch for 3.1

Thanks to Daniel Hensby for reporting.