SS-2014-013: Upload fileexists vulnerability

Severity:
Low (?)
Identifier:
 
SS-2014-013
Versions Affected:
 
3.1.4
Versions Fixed:
 
3.1.5
Release Date:
 
2014-05-07

If using the `UploadField` (either on the front-end or the back-end) the `fileexists` method may expose the existence of files outside of the designated upload folder. Using parent path selectors it was possible to determine the existence of files anywhere the web server had read access.

The issue has been resolved by triggering a HTTP error if a filename including a relative path is specified instead of a pathless filename.

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.