SS-2014-004: SQL injection in SiteTree with custom URLSegmentFilter rules

Severity:
Low (?)
Identifier:
 
SS-2014-004
Versions Affected:
 
3.1.3, 3.0.9, and all versions before
Versions Fixed:
 
3.1.4, 3.0.10
Release Date:
 
2014-04-01

When a developer removes the default URLSegmentFilter rule, the CMS backend is vulnerable to SQL Injection, as apostrophes are not removed.

The change will make sure the URL is always escaped, regardless of the URL filters.

Download Patch for 3.1 | Download Patch for 3.0

Thanks to Simon Welsh for reporting and submitting a patch.

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.