SS-2014-005: Arbitrary class creation in CMS backend

Severity:
Low (?)
Identifier:
 
SS-2014-005
Versions Affected:
 
3.0.9, 3.1.3, and all previous versions
Versions Fixed:
 
3.0.10, 3.1.4
Release Date:
 
2014-04-01

By changing the PageType value passed to CMSPageAddController, a user is able to create any arbitrary class. If this class is a DataObject, it will be written to the database. This allows a user to create classes that they should not be able to.

The is fixed by changing CMSMain->getNewItem() to only create classes that are subclasses of the tree_class (SiteTree in most cases).

At this stage, there is no known way to use this for arbitary code execution, or arbitary database access, thus the issue is rated low severity.

Download Patch for 3.1 | Download Patch for 3.0

Thanks to Simon Welsh for reporting and submitting a patch.

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.