SS-2014-003: ExtraMeta allows JavaScript for malicious CMS authors

Severity:
Low (?)
Identifier:
 
SS-2014-003
Versions Affected:
 
3.0.8, 3.1.2 and all earlier versions
Versions Fixed:
 
3.1.3
Release Date:
 
2014-02-19

The CMS allows specifying custom HTML to be placed in the <head> section of a specific page (through the SiteTree.ExtraMeta property). The main intention is to add <meta> tags further describing the content present. Since the accepted format is HTML, any content can be inserted by CMS authors, including <script> tags containing inline JavaScript or external sources. In order to exploit this issue, you need to have CMS access in the first place. Other potential weaknesses like transient cross-site scripting (XSS) through malicious links can abuse the CMS author login status, and transform attacks a persistent XSS issue.

While there is no known vector to exploit this without a valid CMS login, the core team feels its safest to whitelist the tags allowed in the ExtraMeta property, defaulting to <link> and <meta> only. This means existing projects with page-specific <script> tags will need to have these tags moved into SilverStripe templates. Alternatively, you can add a new HTMLText $db property in your Page class definition (suggested name: $HeaderScripts).

This whitelist will not apply to existing data in the SiteTree.ExtraMeta column on existing pages. In order to ensure no exploit has already been persisted, and check if you need to move <script> tags to templates, we suggest you search this column in your project database:
SELECT * FROM "SiteTree" WHERE "SiteTree"."ExtraMeta" LIKE '%<script%'
SELECT * FROM "SiteTree_Live" WHERE "SiteTree"."ExtraMeta" LIKE '%<script%'

Download CMS patch for 3.1 | Download framework patch for 3.1

Thanks to Daniel Hensby for reporting.

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.