Security Releases
When potential security holes are discovered in SilverStripe's supported modules, we produce security releases to ensure that you are able to promptly secure your SilverStripe websites (check our security release process). All releases are available on our download page, and are announced on our forums (register to subscribe). Vulnerabilities in releases are disclosed here. Please subscribe to our security release RSS feed and pre-announcement mailing list to stay updated.
-
SS-2015-005: VirtualPage XSS
- Severity:
- Medium (?)
- Identifier:
- SS-2015-005
- Versions Affected:
- 3.1.9 and lower
- Versions Fixed:
- 3.1.10
- Release Date:
- 2015-02-19
A cross-site scripting vulnerability has been discovered in the VirtualPage class.
This vulnerability can only be exploited if a user with CMS access has posted malicious or unescaped HTML into any of the textfields of a page which a VirtualPage refers to.
This has been resolved by ensuring that VirtualPage safely escapes all field content.
Reported by Hugh Davenport - All The Things Ltd
-
SS-2015-004: TreeDropdownField and TreeMultiSelectField XSS
- Severity:
- Medium (?)
- Identifier:
- SS-2015-004
- Versions Affected:
- 3.1.9 and lower
- Versions Fixed:
- 3.1.10
- Release Date:
- 2015-02-19
A cross-site scripting vulnerability has been discovered in the TreeDropdownField and TreeMultiSelectField.
This vulnerability can only be exploited if a user with CMS access has posted malicious or unescaped HTML into any of the dataobjects used as a data source for either of these fields.
This has been resolved by ensuring that all dataobjects used as a data source have their content safely encoded.
Reported by Hugh Davenport - All The Things Ltd
-
SS-2015-003: History XSS Vulnerability
- Severity:
- Medium (?)
- Identifier:
- SS-2015-003
- Versions Affected:
- 3.1.9 and lower
- Versions Fixed:
- 3.1.10
- Release Date:
- 2015-02-19
A cross-site scripting vulnerability has been discovered in the CMS page history tab.
This vulnerability can only be exploited if a user with CMS access has posted malicious or unescaped HTML into any of the text fields on a page, and if the "compare mode" option is selected. The HTML will be embedded into the page unescaped.
This has been resolved by performing the text comparison in a HTML friendly way.
Reported by Hugh Davenport - All The Things Ltd
-
SS-2015-001: Debug information exposed
- Severity:
- Low (?)
- Identifier:
- SS-2015-001
- Versions Affected:
- 3.1.9 and lower
- Versions Fixed:
- 3.1.10
- Release Date:
- 2015-02-19
A minor issue has been noted where file path information (such as the directory the site is hosted in) can be unintentionally exposed during a browser redirection.
The fix for this issue is to only show this information when the site is in developer mode.
-
SS-2014-018: Open file permissions vulnerability
- Severity:
- High (?)
- Identifier:
- SS-2014-018
- Versions Affected:
- 3.1
- Versions Fixed:
- 3.1.9
- Release Date:
- 2015-01-15
The 'edit' & 'delete' actions of UploadField are accessible by unauthenticated users which allows them to alter the file ID in the URL to access any file recorded in the database.
This allows the user unrestricted access to;
- Alter the file or folder name
- Alter the parent folder
- Rename the file
- Change the file owner
- Delete the file or folder
This can be performed on any UploadField used on the front-end unless custom logic has been applied to the File class via a DataExtension which implements the canEdit method.
UploadField's in the admin section are also affected but can only be accessed by users who have access to the admin section and have access to an UploadField.
Workaround: 3.1.8 and older
In the immediate term user code can be patched to fix this vulnerability prior to the 3.1.9 release. The following two files should be created (and customised) as necessary.
In mysite/_config/security.yml put the following:
---
Name: filesecurity
---
File:
extensions:
- FileSecurityExtensionIn mysite/code/FileSecurityExtension.php put the following
<?php
class FileSecurityExtension extends DataExtension {
public function canEdit($member) {
return Permission::checkMember($member, 'CMS_ACCESS_AssetAdmin');
// Or replace with the appropriate permission code
}
} -
SS-2014-016: Login count is not updated properly when basicauth is used.
- Severity:
- Low (?)
- Identifier:
- SS-2014-016
- Versions Affected:
- 3.1
- Versions Fixed:
- 3.1.7
- Release Date:
- 2014-11-08
Login count is not updated properly when basicauth is used, leading to a viable bruteforce attack.
-
SS-2014-014: Front end UploadField exposes lists of assets
- Severity:
- Low (?)
- Identifier:
- SS-2014-014
- Versions Affected:
- 3.1
- Versions Fixed:
- 3.1.7
- Release Date:
- 2014-11-08
When used on a front-end form, it's possible for an UploadField to be exploited to expose the list of files within an assets subdirectory to users who do not have permission to view those files.
Thanks to Filype Pereira for reporting.
-
SS-2014-013: Upload fileexists vulnerability
- Severity:
- Low (?)
- Identifier:
- SS-2014-013
- Versions Affected:
- 3.1.4
- Versions Fixed:
- 3.1.5
- Release Date:
- 2014-05-07
If using the `UploadField` (either on the front-end or the back-end) the `fileexists` method may expose the existence of files outside of the designated upload folder. Using parent path selectors it was possible to determine the existence of files anywhere the web server had read access.
The issue has been resolved by triggering a HTTP error if a filename including a relative path is specified instead of a pathless filename.
-
SS-2014-012: File Upload Restrictions
- Severity:
- Medium (?)
- Identifier:
- SS-2014-012
- Versions Affected:
- 2.4, 3.0, 3.1
- Versions Fixed:
- 3.2, master
- Release Date:
- 2014-05-07
Certain file types have been removed from the default allowed extensions, as these have been deemed at risk of exploitation. As of 3.2, these may not be allowed to be uploaded via `UploadField` or `Upload` form fields by default, unless explicitly allowed. This risk has been identified not only on the front end, but also within the CMS.
Plain text formats XML, HTML, XHTML and HTM have been removed as they present a risk of javascript injection, which may hijack the session of unsuspecting viewers, including administrators and front-end users. This attack may be performed by script directly within the body of such documents, or linked externally.
SWF (adobe flash) has also been removed as a default uploadable format. Details of the risk this format poses, and workarounds to mitigate these risks in your production environment, can be found in the Security Documentation.
-
SS-2014-011: Folder filename injection
- Severity:
- Low (?)
- Identifier:
- SS-2014-011
- Versions Affected:
- 3.0.10, 3.1.4, master
- Versions Fixed:
- 3.0.11, 3.1.5, master
- Release Date:
- 2014-05-07
When editing files and assets in the CMS it was possible to rename a folder using invalid characters, allowing the resulting filename to be injected directly into the HTML of the page. Although the folder itself would have these invalid characters stripped, the `Title` field of folders would not be cleaned using the same method.
The fix to this issue is to ensure that the Name and Title of Folder objects are now both correctly cleaned of invalid characters.
-
SS-2014-010: Injection / Filesystem vulnerability in generatesecuretoken
- Severity:
- Low (?)
- Identifier:
- SS-2014-010
- Versions Affected:
- 3.0.10, 3.1.4, master
- Versions Fixed:
- 3.0.11, 3.1.5, master
- Release Date:
- 2014-05-07
A minor issue in the the generatesecuretoken dev task enabled investigation of files on the filesystem. This attack allowed the existence of any file to be reported using the 'path' querystring parameter passing in a relative filesystem path. Additionally, the Content-Type header of the results of this page was set to 'text/html', which means that HTML injection could enable javascript to be injected via the querystring.
This issue has been resolved by removing the unnecessary 'path' querystring parameter, and ensuring the output of this page was correctly given the 'text/plain' Content-Type header.
This attack may only be performed by a privileged user (administrator), meaning it had a very low risk of being exploited.
-
SS-2014-009: Potential DoS exploit in TinyMCE
- Severity:
- Low (?)
- Identifier:
- SS-2014-009
- Versions Affected:
- 3.1.4, 3.0.10, and all versions before
- Release Date:
- 2014-05-07
Vulnerability has been found in Framework's TinyMCE version where an attacker can leverage the compressor to generate large responses that are also cached on disk.
The impact of this issue is limited by the URL length cap enforced by webservers and Suhosin, and is dependent on the availability of zlib on the server - substantially larger responses can be generated if zlib is not installed.Framework's version of TinyMCE has been patched to filter parameters responsible for this and a fix has been submitted and merged into upstream TinyMCE which will independently make it's way to the next major/minor version of the Framework.
-
SS-2014-007: Confidentiality breach can occur between draft and live modes
- Severity:
- Medium (?)
- Identifier:
- SS-2014-007
- Versions Affected:
- 3.1.3, 3.0.9, and all versions before
- Versions Fixed:
- 3.1.4, 3.0.10
- Release Date:
- 2014-04-01
In cases were partial caching is used in templates, it's possible for content viewed in one versioned mode (such as stage) to be cached and presented later to other uses in live. This issue also extends to content that may be customised for individual users, such as login status. This may lead to incorrect data being presented within partially cached data, or may leak confidential or unpublished data that should not be viewable.
In order to resolve this a global caching key is applied to all partial caches by default. This is a string which is automatically added to the cache identifier for all partial caches. By default this is set to '$CurrentReadingMode, $CurrentUser.ID', but can be customised by setting the config value for 'SSViewer.global_key', and can contain any template syntax.
This fix will likely require some adjustment for website which either allow for user logins, as the default global cache key may not be appropriate in all situations.
For instance, if your partial caching already handles user login status where necessary, this key can be simplified to only segment by reading mode. In your config.yml you should change this key as below:
SSViewer:
global_key: '$CurrentReadingMode'To upgrade download or update with composer
-
SS-2014-006: XSS in returnURL redirection
- Severity:
- Low (?)
- Identifier:
- SS-2014-006
- Versions Affected:
- 3.0.9, 3.1.3, and all versions before
- Versions Fixed:
- 3.0.10, 3.1.4
- Release Date:
- 2014-04-01
If an attacker can set the URL passed to Controller->redirect() and output is sent to the browser before the redirect can occur, the URL may be outputted directly to the browser.
This can potentially be exploited through dev/build, i.e. http://site.com/dev/build?returnURL=/"><h1>Hacked!</h1><!--
If the response is buffered enough that output hasn’t been sent to the browser yet this particular attack vector isn’t available on a stock install, but others may be and it may still be available in customised installs.
The fix is to escape the URL before displaying it to the user.
Download Patch for 3.1 | Download Patch for 3.0
Thanks to Simon Welsh for reporting and providing a patch.
-
SS-2014-005: Arbitrary class creation in CMS backend
- Severity:
- Low (?)
- Identifier:
- SS-2014-005
- Versions Affected:
- 3.0.9, 3.1.3, and all previous versions
- Versions Fixed:
- 3.0.10, 3.1.4
- Release Date:
- 2014-04-01
By changing the PageType value passed to CMSPageAddController, a user is able to create any arbitrary class. If this class is a DataObject, it will be written to the database. This allows a user to create classes that they should not be able to.
The is fixed by changing CMSMain->getNewItem() to only create classes that are subclasses of the tree_class (SiteTree in most cases).
At this stage, there is no known way to use this for arbitary code execution, or arbitary database access, thus the issue is rated low severity.
Download Patch for 3.1 | Download Patch for 3.0
Thanks to Simon Welsh for reporting and submitting a patch.