Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

We're retiring the forums!

The SilverStripe forums have passed their heyday. They'll stick around, but will be read only. We'd encourage you to get involved in the community via the following channels instead:

Blog Module /

Discuss the Blog Module.

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo, swaiba

Posted Spam -> Blog module hacked!

Go to End

35 Posts   6418 Views


Community Member, 791 Posts

8 July 2009 at 1:43am

Hmmm... that is interesting. ;-)

Thanks for the quick fix Banal !


Community Member, 904 Posts

8 July 2009 at 2:11am

Edited: 08/07/2009 2:11am

Hi cliersch

The patch fixes the issue for the version in trunk. In trunk, there's a helper method called IsOwner that checks for permissions, while in the official release, Permission::check('ADMIN') was used.
They do more or less the same thing.

If you got the IsOwner method in your BlogHolder Class, then you should be safe to apply the patch I provided. If you want to check the vulnerability, go ahead... use this file I attached (it's a simple html form. You should replace in the source code with your website Using this form, you can send blog posts to your site without logging in.
If you apply the patch, this is no longer possible.


Community Member, 75 Posts

8 July 2009 at 2:58am

Hi banal! Thank you very much for the quick help! I checked my the Website with your HTML Post Form. It is secured! Postings like these are not longer allowed! Great work! :-)
I'm goinig to update now all our sites...
Guess this is going to be part of the next blog release.


Community Member, 904 Posts

8 July 2009 at 3:26am

Oh dear. Out of curiosity I checked if this works with and indeed it did...

Some admin fix this please... and remove my "proof of concept" html file, as it would probably do more harm than good.


Community Member, 791 Posts

8 July 2009 at 5:27am

whoops... did you mail Silverstripe about this already ?


Community Member, 904 Posts

8 July 2009 at 6:04am

Yeah.. I tried to get in touch with them. But most likely they're all sleeping :/


Community Member, 607 Posts

8 July 2009 at 8:47am

Ouch. Well at least it was finally caught before rampant damage was caused.

Can I suggest Banal's fix be put in the "Announcements" section of the "Blog Module" forum, with a link to this thread?

Well done guys and gals.



Administrator, 690 Posts

8 July 2009 at 10:16am

Edited: 08/07/2009 11:12am

Hi everyone,

Thanks for everyone's help in getting to the bottom of this issue. We have committed a fix for this to the SVN trunk of blog. If you are using trunk, the best thing to do now is to update to the latest revision of trunk - r81263.

For those of you on version 0.2.0 of blog, we will be releasing an 0.2.1 release in the next few hours. The 0.2.1 release will be the same as 0.2.0 except for this fix.