SS-2013-005: Privilege escalation with APPLY_ROLES

Low (?)
Versions Affected:
Versions Fixed:
Release Date:

CMS users with access to the "Security" admin interface can increase their privileges to ADMIN if they currently just hold the permission "Apply roles to groups" (APPLY_ROLES). They can exploit their access either by assigning privileged permissions to a group they already belong to, or by creating a new role with more privileged permissions.

Only a small number of advanced installations should have this "sub-admin" role set up which makes them vulnerable to this issue. Note that APPLY_ROLES still allows users with access to the "Security" interface to assign themselves to non-privileged permissions such as editing CMS content or CMS settings. This is by design. It is also advised to use the built-in "Only admins can apply" flag on roles which are deemed privileged, which already prevents "sub-admins" from assigning this role to a group they belong to. 

This has been fixed by additional validation on the PermissionRoleCode model.

Want to know more about the company that brought you SilverStripe? Then check out

Comments on this website? Please give feedback.