Security Releases

When potential security holes are discovered in SilverStripe's supported modules, we produce security releases to ensure that you are able to promptly secure your SilverStripe websites (check our security release process). All releases are available on our download page, and are announced on our forums (register to subscribe). Vulnerabilities in releases are disclosed here. Please subscribe to our security release RSS feed and pre-announcement mailing list to stay updated.

• SS-2015-012: External redirection risk in Security?ReturnURL

  Severity:

  Medium (?)

  Identifier:

  SS-2015-012

  Versions Affected:

  3.0.13 and below, 3.1.0 to 3.1.13-rc1

  Versions Fixed:

  3.0.14, 3.1.13

  Release Date:

  2015-05-28

  A vulnerability has been found in the SilverStripe framework where a login url can be potentially redirected to an external site.

  For example, the url http://www.my-silverstripe-site.com/Security/login?BackURL=/\attacker-site.com will redirect successful logins to the page http://attacker-site.com. If that website were set up to look identical to the first with "login failed" then the user will likely just enter their user/pass again.

  Common Vulnerability Scoring System (CVSS) Information

  Credit to Matt Lang for reporting this issue.

• SS-2015-011: Potential SQL Injection Vulnerability

  Severity:

  Low (?)

  Identifier:

  SS-2015-011

  Versions Affected:

  3.0.13 and below, 3.1.0 to 3.1.13-rc1

  Versions Fixed:

  3.0.14, 3.1.13

  Release Date:

  2015-05-28

  A potential SQL injection vulnerability exists in SQLQuery when used in conjunction with the default FulltextSearch functionality.

  When a search query containing the term " as " is performed, SQLQuery will misunderstand the SQL generated by MySQLDatabase and attempt to rewrite the query in a way that generates malformed queries. This is due to support for legacy behaviour being incorrectly implemented. However, valid SQL cannot be generated using this exploit.

  A fix has been applied to correct the legacy support.

  Common Vulnerability Scoring System (CVSS) information

  Thanks to Ed Chipman for reporting this vulnerability.

• SS-2015-010: XSS in Director::force_redirect()

  Severity:

  Low (?)

  Identifier:

  SS-2015-010

  Versions Affected:

  3.1.0 to 3.1.11

  Versions Fixed:

  3.1.12

  Release Date:

  2015-03-20

  A low level XSS vulnerability has been found in the Framework affecting http redirection via the Director::force_redirect method.

  Attempts to redirect to a url may generate HTML which is not safely escaped, and may pose a risk of XSS in some environments.

  This vulnerability is marked low as it is difficult to exploit, as any injected HTML will only be returned from the server if the Location HTTP header is also sent, meaning that any user browsing the site would not be exposed to the body of the response before their browser redirects them.

• SS-2015-009: XSS In rewritten hash links

  Severity:

  High (?)

  Identifier:

  SS-2015-009

  Versions Affected:

  3.0.12 and below, 3.1.0 - 3.1.11

  Versions Fixed:

  3.0.13, 3.1.12

  Release Date:

  2015-03-20

  A high level XSS vulnerability has been discovered in the SilverStripe framework which causes links containing hash anchors (E.g. href="#anchor") to be rewritten in an unsafe way.

  The rewriteHashlinks option on SSViewer will rewrite these to contain the current url, although without adequate escaping, meaning that HTML could be injected via injecting unsafe values to any page via the querystring.

  Due to the nature of this issue it is likely that a large number of SilverStripe sites are affected.

  Special credit to Dariusz Półtorak for reporting the issue and providing us with lots of helpful information, as well as the "Happy Endians" team, part of CP DDB.

• SS-2014-017: XML Quadratic Blowup Attack

  Severity:

  Low (?)

  Identifier:

  SS-2014-017

  Versions Affected:

  3.1.11 and below

  Versions Fixed:

  3.1.12

  Release Date:

  2015-03-20

  A low level vulnerability has been found in the SilverStripe framework, where the Quadratic Blowup Attack could potentially be exploited to affect the performance of a site.

  See http://mashable.com/2014/08/06/wordpress-xml-blowup-dos/ for a writeup.

  Thanks to Jamie Totten.

• SS-2014-015: IE requests not properly behaving with rewritehashlinks

  Severity:

  Medium (?)

  Identifier:

  SS-2014-015

  Versions Affected:

  3.0.12 and below, 3.1.0 - 3.1.11

  Versions Fixed:

  3.0.13, 3.1.12

  Release Date:

  2015-03-20

  Non IE browsers don’t appear to be affected, but I haven’t tested a wide range of browsers to be sure 

  Requests that come through from IE do NOT appear to encode all entities in the URL string, meaning they are inserted into output content directly by SSViewer::process() when rewriting hashlinks, as it directly outputs $_SERVER[‘REQUEST_URI’]

  Example IE8 request
  127.0.0.1 - - [18/Jun/2014:14:13:42 +1000] “GET /site/cars/brands/toyota?one=1\”onmouseover=\”alert(‘things’);\” HTTP/1.1” 200

  Example FF request
  127.0.0.1 - - [18/Jun/2014:14:14:22 +1000] “GET /site/cars/brands/toyota?one=1\%22onmouseover=\%22alert(%27things%27);\%22 HTTP/1.1” 200

  This causes any hash anchor to have the JS code inserted into the page as-is.

   

  Credit to Marcus Nyeholt for identifying this issue

• SS-2015-008: SiteTree Creation Permission Vulnerability

  Severity:

  High (?)

  Identifier:

  SS-2015-008

  Versions Affected:

  3.1.0 - 3.1.10, 3.1.11-rc1, 3.0.11 and below

  Versions Fixed:

  3.0.12, 3.1.11

  Release Date:

  2015-03-19

  A vulnerability exists in the permission validation for SiteTree object creation. By default user permissions are not validated by the SiteTree::canCreate method, unless overridden by user code or via the configuration system.

  This vulnerability will allow users, or unauthenticated guests, to create new SiteTree objects in the database. This vulnerability is present when such users are given CMS access via other means, or if there is another mechanism (such as RestfulServer module) which allows model editing and relies on model-level permission checks.

  This vulnerability is restricted to the creation of draft or live pages, and does not allow users to edit, publish, or unpublish existing pages.

  All users should upgrade as soon as possible.

• SS-2015-007: XSS In FormAction

  Severity:

  Medium (?)

  Identifier:

  SS-2015-007

  Versions Affected:

  3.1.9 and lower

  Versions Fixed:

  3.1.10

  Release Date:

  2015-02-19

  A cross-site scripting vulnerability has been discovered in the FormAction field where a user-specified title may be specified.

  Reported by Hugh Davenport - All The Things Ltd

• SS-2015-006: XSS In GridField print

  Severity:

  Medium (?)

  Identifier:

  SS-2015-006

  Versions Affected:

  3.1.9 and lower

  Versions Fixed:

  3.1.10

  Release Date:

  2015-02-19

  A cross-site scripting vulnerability has been discovered in the print view of  GridField.

  This vulnerability can only be exploited if a user with CMS access has posted malicious or unescaped HTML into any field of an object in a GridField, and the print feature is used.

  This has been resolved by ensuring that the print feature safely escapes all fields.

  Reported by Hugh Davenport - All The Things Ltd

• SS-2015-005: VirtualPage XSS

  Severity:

  Medium (?)

  Identifier:

  SS-2015-005

  Versions Affected:

  3.1.9 and lower

  Versions Fixed:

  3.1.10

  Release Date:

  2015-02-19

  A cross-site scripting vulnerability has been discovered in the VirtualPage class.

  This vulnerability can only be exploited if a user with CMS access has posted malicious or unescaped HTML into any of the textfields of a page which a VirtualPage refers to.

  This has been resolved by ensuring that VirtualPage safely escapes all field content.

  Reported by Hugh Davenport - All The Things Ltd

• SS-2015-004: TreeDropdownField and TreeMultiSelectField XSS

  Severity:

  Medium (?)

  Identifier:

  SS-2015-004

  Versions Affected:

  3.1.9 and lower

  Versions Fixed:

  3.1.10

  Release Date:

  2015-02-19

  A cross-site scripting vulnerability has been discovered in the TreeDropdownField and TreeMultiSelectField.

  This vulnerability can only be exploited if a user with CMS access has posted malicious or unescaped HTML into any of the dataobjects used as a data source for either of these fields.

  This has been resolved by ensuring that all dataobjects used as a data source have their content safely encoded.

  Reported by Hugh Davenport - All The Things Ltd

• SS-2015-003: History XSS Vulnerability

  Severity:

  Medium (?)

  Identifier:

  SS-2015-003

  Versions Affected:

  3.1.9 and lower

  Versions Fixed:

  3.1.10

  Release Date:

  2015-02-19

  A cross-site scripting vulnerability has been discovered in the CMS page history tab.

  This vulnerability can only be exploited if a user with CMS access has posted malicious or unescaped HTML into any of the text fields on a page, and if the "compare mode" option is selected. The HTML will be embedded into the page unescaped.

  This has been resolved by performing the text comparison in a HTML friendly way.

  Reported by Hugh Davenport - All The Things Ltd

• SS-2015-001: Debug information exposed

  Severity:

  Low (?)

  Identifier:

  SS-2015-001

  Versions Affected:

  3.1.9 and lower

  Versions Fixed:

  3.1.10

  Release Date:

  2015-02-19

  A minor issue has been noted where file path information (such as the directory the site is hosted in) can be unintentionally exposed during a browser redirection.

  The fix for this issue is to only show this information when the site is in developer mode.

• SS-2014-018: Open file permissions vulnerability

  Severity:

  High (?)

  Identifier:

  SS-2014-018

  Versions Affected:

  3.1

  Versions Fixed:

  3.1.9

  Release Date:

  2015-01-15

  The 'edit' & 'delete' actions of UploadField are accessible by unauthenticated users which allows them to alter the file ID in the URL to access any file recorded in the database.

  This allows the user unrestricted access to;

  • Alter the file or folder name
  • Alter the parent folder
  • Rename the file
  • Change the file owner
  • Delete the file or folder

  This can be performed on any UploadField used on the front-end unless custom logic has been applied to the File class via a DataExtension which implements the canEdit method.

  UploadField's in the admin section are also affected but can only be accessed by users who have access to the admin section and have access to an UploadField.

  Workaround: 3.1.8 and older

  In the immediate term user code can be patched to fix this vulnerability prior to the 3.1.9 release. The following two files should be created (and customised) as necessary.

  In mysite/_config/security.yml put the following:

  ---
  Name: filesecurity
  ---
  File:
    extensions:
      - FileSecurityExtension

  In mysite/code/FileSecurityExtension.php put the following

  
  <?php
  class FileSecurityExtension extends DataExtension {
      public function canEdit($member) {
          return Permission::checkMember($member, 'CMS_ACCESS_AssetAdmin');
          // Or replace with the appropriate permission code
      }
  }

• SS-2014-016: Login count is not updated properly when basicauth is used.

  Severity:

  Low (?)

  Identifier:

  SS-2014-016

  Versions Affected:

  3.1

  Versions Fixed:

  3.1.7

  Release Date:

  2014-11-08

  Login count is not updated properly when basicauth is used, leading to a viable bruteforce attack.

• Prev
• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11
• Next