SS-2014-010: Injection / Filesystem vulnerability in generatesecuretoken

Severity:
Low (?)
Identifier:
 
SS-2014-010
Versions Affected:
 
3.0.10, 3.1.4, master
Versions Fixed:
 
3.0.11, 3.1.5, master
Release Date:
 
2014-05-07

A minor issue in the the generatesecuretoken dev task enabled investigation of files on the filesystem. This attack allowed the existence of any file to be reported using the 'path' querystring parameter passing in a relative filesystem path. Additionally, the Content-Type header of the results of this page was set to 'text/html', which means that HTML injection could enable javascript to be injected via the querystring.

This issue has been resolved by removing the unnecessary 'path' querystring parameter, and ensuring the output of this page was correctly given the 'text/plain' Content-Type header.

This attack may only be performed by a privileged user (administrator), meaning it had a very low risk of being exploited.

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.