A new security patch release has been made available for sites on CMS 4.x to address issues identified with restricting access to some files saved in the CMS. It is recommended that all Site Owners with sites on CMS 4.x review the impact of the identified issues with their digital agency or internal development teams and make a plan to upgrade their sites.
As part of resolving the security issue, the release also includes optional file migration tasks that a development team can run to ensure that potentially vulnerable files are put into the correct protected state.
New patch releases are available now in the following CMS Recipe versions:
- CMS Recipe 4.4.6
- CMS Recipe 4.5.2
What should I do?
Firstly, make sure you read this update to gain a high-level understanding of the security vulnerability being rectified and find out if your site may be affected.
Then, you need to refer to the release change log announcement for a detailed explanation of how to find out if files in your CMS are exposed and how the migration tasks we’ve outlined can help resolve most scenarios. It is recommended that you discuss this release announcement with your digital agency or internal development team and make a plan to upgrade your site.
What does this release fix?
This release contains fixes that are essential to addressing the CVE-2020-9280 security issue and follow up work from the CVE-2019-12245 security issue that was released in September.
With these security issues left unfixed, it is possible that the access permissions set for your files in the CMS are not as you expect, which may result in these files being accessible to the public if the file URL is known, e.g.: 'https://mysite.com/assets/submission-folder/my-document.pdf'. This release stops these issues from occurring and provides file migration tasks to rectify files that may currently be vulnerable.
How can I find out if my site is affected?
Broadly speaking, your site could have files unintentionally exposed to the public if these files were added to your CMS through any method other than uploading files directly through the CMS ‘Files’ area. Common ways to do this are:
- Through the ‘User defined forms’ feature where the form includes a file upload field; or
- A custom-built form on the front-end of a website that allows users to upload files.
If your site is currently in this situation or had plans to do this, please read the full release change log announcement to understand the situation further and see if your site is affected.
What if my site is not on at least CMS Recipe 4.4
It is highly recommended that you arrange to upgrade to at least the new CMS Recipe 4.4.6 as soon as possible. It is important that you keep your website up to date and on a supported version to avoid exposing your site to undue risk.
Does this security issue affect sites on CMS 3.x?
No, this issue is not known to affect sites that are on CMS 3.x. It is, however, still recommended that you use this prompt to review any files in the CMS that you expect should be protected from the public. CMS 3.x instructions for this can be found in the Silverstripe CMS User Help guide.
What is the 'CMS Recipe'?
Our recommended approach for managing core Silverstripe CMS dependencies is through one of the official Recipes like ‘silverstripe/recipe-cms’, rather than by requiring individual modules like ‘silverstripe/framework’. As with previous releases, the versions noted in the release announcement refer to the version of the CMS Recipe, not the individual modules like ‘silverstripe/cms’ or ‘silverstripe/framework’. Details of the module versions used in each CMS Recipe release can be found on Packagist.
Release change log announcement
The release change log announcement provides the full detail of what is included in the release and whether the additional file migration tasks are recommended for your site.
You will find similar release notes for CMS Recipe 4.4.6.