Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2014-005: Arbitrary class creation in CMS backend

By changing the PageType value passed to CMSPageAddController, a user is able to create any arbitrary class. If this class is a DataObject, it will be written to the database. This allows a user to create classes that they should not be able to.

The is fixed by changing CMSMain->getNewItem() to only create classes that are subclasses of the tree_class (SiteTree in most cases).

At this stage, there is no known way to use this for arbitary code execution, or arbitary database access, thus the issue is rated low severity.

Download Patch for 3.1 | Download Patch for 3.0

Thanks to Simon Welsh for reporting and submitting a patch.

Severity:
Low (?)
Identifier:
SS-2014-005
Versions Affected:
3.0.9, 3.1.3, and all previous versions
Versions Fixed:
3.0.10, 3.1.4
Release Date:
2014-04-01

By changing the PageType value passed to CMSPageAddController, a user is able to create any arbitrary class. If this class is a DataObject, it will be written to the database. This allows a user to create classes that they should not be able to.

The is fixed by changing CMSMain->getNewItem() to only create classes that are subclasses of the tree_class (SiteTree in most cases).

At this stage, there is no known way to use this for arbitary code execution, or arbitary database access, thus the issue is rated low severity.

Download Patch for 3.1 | Download Patch for 3.0

Thanks to Simon Welsh for reporting and submitting a patch.