SS-2013-003: Privilege escalation through Group hierarchy setting

Severity:
Low (?)
Identifier:
 
SS-2013-003
Versions Affected:
 
2.4,3.0,3.1
Versions Fixed:
 
2.4.12,3.0.6,3.1.0
Release Date:
 
2013-09-12

CMS users with access to the "Security" admin interface, but without ADMIN permissions, are able to increase their privileges. Since groups inherit permissions from parent groups, any changes to a group that a malicious user belongs to can inherit further privileged permissions. Note: Only a small number of advanced installations should have separate "sub-admin" groups set up which makes them vulnerable to this issue.

This was fixed by limiting group hierarchy changes to those without a set of privileged permissions (CMS_ACCESS_SecurityAdmin, EDIT_PERMISSIONS, APPLY_ROLES, ADMIN), unless the currently logged-in user has ADMIN permissions already.

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.