Version 1.0.7 of the CWP Basic Recipe has been released on 26th March 2015.
This release includes patches for security vulnerabilities of a high severity in the cms, and resolves an issue with GridField in framework. The GridField issue is a bug that was introduced 1.0.6. It was reported as a bug by an agency, and was preventing them from deleting assets in the normal way. We apologise for the inconvenience this caused.
Agencies should perform this upgrade ASAP. This release only includes updates to the cms and framework modules and not any other recipe modules.
When do you need to perform this upgrade?
Agencies must upgrade prior to 31st May 2015. If an agency has not upgraded by that date, SilverStripe is obliged to perform the upgrade under the terms of the contract. This is a last resort as it will incur cost and creates a risk of functionality breaking.
Information to help manage upgrades is here.
Details of the vulnerabilities
By default user permissions are not validated by the SiteTree::canCreate method, unless overridden by user code or via the configuration system.
This vulnerability will allow users, or unauthenticated guests, to create new SiteTree objects in the database. This vulnerability is present when such users are given CMS access via other means, or if there is another mechanism (such as RestfulServer module) which allows model editing and relies on model-level permission checks.
This vulnerability is restricted to the creation of draft or live pages, and does not allow users to edit, publish, or unpublish existing pages.
Additionally an issue in the rewriting of hashlinks has been resolved, which closes a potential cross site scripting vulnerability. A link to a page containing a hash link could have a querystring containing unsafe code included, and this would be embedded into the content of the page in an unsafe way.
This vulnerability affects all websites.
Further information can be found in the 1.0.7 changelog here.
Is my site vulnerable?
All websites are vulnerable to at least one of the security issues noted.
Technical Upgrade Guide
These fixes will be included in the CWP recipe 1.0.7, but will also be available to users of the SilverStripe framework and cms 3.1.12.
A description for technical staff on how to carry out an upgrade is found here.