Security Releases
When potential security holes are discovered in SilverStripe's supported modules, we produce security releases to ensure that you are able to promptly secure your SilverStripe websites (check our security release process). All releases are available on our download page, and are announced on our forums (register to subscribe). Vulnerabilities in releases are disclosed here. Please subscribe to our security release RSS feed and pre-announcement mailing list to stay updated.
-
CVE-2020-9309 Script execution on protected files with MIME spoofing content
- Severity:
- Medium (?)
- Identifier:
- CVE-2020-9309
- Versions Affected:
- silverstripe/recipe-core: ^4.0.0
- Versions Fixed:
- silverstripe/recipe-core: 4.6.0 or silverstripe/mimetype-validator: 2.0.0
- Release Date:
- 2020-07-13
Silverstripe CMS can be susceptible to script execution from malicious upload contents under allowed file extensions (for example HTML code in a TXT file). When these files are stored as protected or draft files, the MIME detection can cause browsers to execute the file contents. Uploads stored as protected or draft files are allowed by default for authorised users only, but can also be enabled through custom logic as well as modules such as silverstripe/userforms.
Sites using the previously optional silverstripe/mimevalidator module can configure MIME whitelists rather than extension whitelists, and hence prevent this issue. Sites on the Common Web Platform (CWP) use this module by default, and are not affected.
Sites upgrading to silverstripe/recipe-core 4.6.0 will automatically be protected, as silverstripe/mimevalidator is now a core dependency. Sites using an older version of silverstripe/recipe-core need to manually install and configure silverstripe/mimevalidator.
Read the changelog for your targeted release for more information on the best course of action:
Base CVSS: 4.6
CWP CVSS: 0.0 (CWP customers are unaffected by this vulnerability.)
Reporter: Maxime Rainville, Senior Open-Source Developer, Silverstripe Ltd
Addendum: silverstripe/userforms 5.6.0 added an explicit requirement on silverstripe/mimevalidator for the file upload field as a further security enhancement. However, this fix was not properly merged up in the development branches, so silverstripe/userforms 5.6.1. 5.6.2 and 5.7.0 erroneously removed the new mimevalidator package. silverstripe/userforms 5.6.3 and 5.7.1 have been tagged to reintroduce the mimevalidator package and remedy this issue.
-
CVE-2020-6165 Limited queries break CanViewPermissionChecker
- Severity:
- Medium (?)
- Identifier:
- CVE-2020-6165
- Versions Affected:
- silverstripe/graphql: ^3.2, silverstripe/recipe-cms: ^4.5.0
- Versions Fixed:
- silverstripe/graphql: 3.2.4, silverstripe/graphql: 3.3.0
- Release Date:
- 2020-07-13
The automatic permission checking mechanism in the
silverstripe/graphql
module does not provide complete protection against lists that are limited (e.g. through pagination), resulting in records that should fail the permission check being added to the final result set.GraphQL endpoints are configured by default through the CMS (e.g. for assets), but the
admin/graphql
endpoint is access protected by default. This limits the vulnerability to users with access to the CMS, but still applies when those authenticated users have limited permissions (e.g. where viewing records exposed throughadmin/graphql
require administrator permissions).Where custom GraphQL endpoints have been be configured for a specific implementation (usually under
/graphql
), this vulnerability could also be exploited through unauthenticated requests.This vulnerability only applies for reading records it does not allow unauthorised changing of records.
If your project implements custom GraphQL queries returning a query-limited result set, you might have to validate that those queries still work as expected and adjust them if they don't.
Review the 4.5.3 changelogs or the 4.6.0 changelogs for additional details on how to upgrade your project.Base CVSS Score: 5.3
CWP CVSS Score: 5.3
Reporter: Matthias Leutenegger, CEO, Syntro GmbH and Rob Ingram
-
CVE-2020-6164 Information disclosure on /interactive URL path
- Severity:
- Low (?)
- Identifier:
- CVE-2020-6164
- Versions Affected:
- silverstripe/framework: ^3.0, silverstripe/framework: ^4.0
- Versions Fixed:
- silverstripe/framework: 4.4.7, silverstripe/framework: 4.5.4, silverstripe/framework: 4.6.0
- Release Date:
- 2020-07-13
A specific URL path configured by default through the
silverstripe/framework
module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to execution in a CLI context, and is not known to present a vulnerability through web-based access. As a side-effect, this preconfigured path also blocks the creation of other resources on this path (e.g. a page).Base CVSS: 0.0
CWP CVSS: 0.0
Reporter: Elliot Sawyer, Senior Silverstripe Developer, Catalyst
-
CVE-2019-19326 Web Cache Poisoning through HTTPRequestBuilder
- Severity:
- Medium (?)
- Identifier:
- CVE-2019-19326
- Versions Affected:
- silverstripe/framework: ^3.0, silverstripe/framework: ^4.0
- Versions Fixed:
- silverstripe/framework: 3.7.5, silverstripe/framework: 4.4.7, silverstripe/framework: 4.5.4, silverstripe/framework: 4.6.0
- Release Date:
- 2020-07-13
Silverstripe CMS sites which have opted into HTTP Cache Headers on responses served by the framework's HTTP layer can be vulnerable to web cache poisoning. Through modifying the
X-Original-Url
andX-HTTP-Method-Override
headers, responses with malicious HTTP headers can return unexpected responses to other consumers of this cached response. Most other headers associated with web cache poisoning are already disabled through request hostname forgery whitelists.Silverstripe CMS also supports an alternative means to override a request's HTTP method by including a
_method
parameter in a POST request. This behaves similarly to theX-HTTP-Method-Override
headers and is susceptible to the same vulnerability.The impact of this vulnerability depends on how you are using request data. The risk potential increases when your site allows user contributed content (such as comments or wiki-style pages).
In addition to public cache headers such as
Cache-Control: max-age=<age>
, there needs to be an intermediary HTTP cache between the website user and the server. This role is often filled by Content Delivery Networks (CDNs) and system components such as Varnish, but can also appear in the user's own network path (corporate proxies). See PortSwigger: Web Cache Poisoning for more details on the concept.If your Silverstripe CMS site requires those headers the work, you may need to take additional step when upgrading. Review the changelog for the version you plan to upgrade to:
- Silverstripe CMS Recipe 3.7.5 changelog
- Silverstripe CMS Recipe 4.4.7 changelog
- Silverstripe CMS Recipe 4.5.3 changelog
- Silverstripe CMS Recipe 4.6.0 changelog
Base CVSS: 5.9
CWP CVSS: 5.9
Reporters:
- memN0ps
- Will Boucher, Pulse Security
- Sabine Degen
-
CVE-2020-9280 Folders migrated from 3.x may be unsafe to upload to
- Severity:
- Medium (?)
- Identifier:
- CVE-2020-9280
- Versions Affected:
- silverstripe/assets:^1.0
- Versions Fixed:
- silverstripe/assets:1.4.7, silverstripe/assets:1.5.2, silverstripe/framework:4.4.6, silverstripe/assets:4.5.3, silverstripe/userforms:5.4.2, silverstripe/assets:5.5.2
- Release Date:
- 2020-04-14
Files uploaded via Forms to folders migrated from Silverstripe CMS 3.x may be put to the default "/Uploads" folder instead. Uploads performed via the CMS UI are not affected.
This is a security issue because the default "/Uploads" folder is publicly accessible by default, which means unauthorised parties may access the uploaded files via HTTP by guessing the file name.
This affects installations which allowed upload folder protection via the optional silverstripe/secureassets module under 3.x. This module is installed and enabled by default on the Common Web Platform (CWP). The vulnerability only affects files uploaded after an upgrade to 4.x. It does not affect files uploaded before the upgrade. Without this module, the issue manifests as duplicated folders and wrong usage of the default
assets/Uploads
folder. In case protections are applied in other ways (e.g. htaccess or proxy rules), this might also lead to the same security issue.The most common way to generate file uploads outside of the CMS is the silverstripe/userforms module, but this issue has also been confirmed on custom form implementations.
Files in unprotected folders can be surfaced through custom implementations (such as indexing file content through website search). They can also be surfaced by malicious parties gaining access to the direct download link. Since Silverstripe does not allow listing of files to unauthorised users by default, this usually involves guessing file names. How predictable these file names are depends on your user submissions and your particular use case.
To check if you are affected, review all userforms on your website, and check the "upload folder" setting in any "file field" instances. In the "Assets" section, you can check if this folder has protections applied to it. Follow the same process for any custom form implementations in your project.
Read the Silverstripe CMS 4.4.6 changelogs for detailed steps on applying the patch and running related migration tasks.
Base CVSS: 5.9
CWP CVSS: 5.9
Reporter: Ingo Schommer, Lead Product Architect, Silverstripe Ltd.
-
CVE-2019-19325 XSS through non-scalar FormField attributes
- Severity:
- High (?)
- Identifier:
- CVE-2019-19325
- Versions Affected:
- silverstripe/framework:^4.3.0
- Versions Fixed:
- silverstripe/framework:4.4.5, silverstripe/framework:4.5.2
- Release Date:
- 2020-02-17
Silverstripe Forms allow malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting) on some forms built with user input (Request data). This can lead to phishing attempts to obtain a user's credentials or other sensitive user input. There is no known attack vector for extracting user-session information or credentials automatically, it required a user to fall for the phishing attempt. XSS can also be used to modify the presentation of content in malicious ways.
The vulnerability is known to apply in at least the following cases:
- The login form provided by Silverstripe. When the login form is used with Multi Factor Authentication (MFA), the attack complexity for phishing increases, and is mitigated by using security keys such as Yubikey as an unphishable token.
- Forms which are configured to populate field values based on request parameters. This usually happens via setting the
$value
on a FormField instance during construction of the form, or by loading request data viaForm->loadDataFrom($myRequest->getVars())
. - Forms which have form validation applied through
RequiredFields
, and opt-out of using CSRF tokens viadisableSecurityToken()
. In this case, the vulnerability is more impactful if the form is also configured to accept GET submissions, rather than the default of POST submissions.
The vulnerability has not identified on forms created through the
silverstripe/userforms
module.Base CVSS: 7.5
Reported by: Ed Chipman, Senior Solutions Architect, Webbuilders Group
-
CVE-2019-16409 secureassets and versionedfiles modules can expose versions of protected files
- Severity:
- Medium (?)
- Identifier:
- CVE-2019-16409
- Versions Affected:
- ^4.0
- Versions Fixed:
- 4.3.5, 4.4.4
- Release Date:
- 2019-09-24
Users who migrated from a 3.x site that used the versionedfiles module will have its _versions folders left as artefacts in their public filesystems, leaving all the unpublished versions of old files publicly accessible under a guessable URL. This module was superseded by the file versioning functionality provided by the core 4.x recipe, meaning these _versions folders have no ongoing functional utility and should be deleted or blocked from web requests.
Base CVSS Score: 5.9
CWP CVSS Score: 5.9
Thanks to Charlie Bergthaler and Jakub Dolba (SilverStripe Ltd) for reporting this issue.
-
CVE-2019-14273 Broken Access control on files
- Severity:
- Low (?)
- Identifier:
- CVE-2019-14273
- Versions Affected:
- ^4.0
- Versions Fixed:
- 4.3.5, 4.4.4
- Release Date:
- 2019-09-24
Unauthenticated users can access files which with restricted view permissions when embedded in content. This does not affect draft files, or files which aren't embedded in content.
In SilverStripe 4.x and CWP 2.x, files have a draft stage, and can be published. Before publication, they are only accessible to CMS users with access to view draft content (as well as administrators). Separately, published files can be placed in protected folders, with view and edit permissions restricted by certain CMS user groups only ("protected files").
Files can be embedded into other content managed through the CMS, as images or links. Publishing this content will automatically publish these embedded files. If these files are protected (viewable by certain CMS user groups), direct access to the file URL will be denied even for if the file is published. But when accessing the file through linked in the published content, access will be granted without further permission checks.
Base CVSS Score: 3.5
CWP CVSS Score: 3.5
Thanks to Normann Lou for reporting this issue.
2020-04-15 update: Migration task now available
The Silverstripe CMS 4.4.6/4.5.2 release include some additional remedial work related to this vulnerability. A file migration task has been created to retroactively protect files exposed by this vulnerability.
Read the Silverstripe CMS 4.4.6 change log for further details.
-
CVE-2019-14272 XSS in file titles managed through the CMS
- Severity:
- Medium (?)
- Identifier:
- CVE-2019-14272
- Versions Affected:
- ^4.0
- Versions Fixed:
- 4.3.5, 4.4.4
- Release Date:
- 2019-09-24
SilverStripe allows XSS by authenicated users through editing file titles through the CMS. This can lead to privilege escalation by malicious authenticated users with otherwise more limited access.
The CMS generally allows file upload through the CMS for authenticated users (through rich text content editing, or the "assets" section). It is common to add custom file uploads to the CMS UI for authenticated users as well. In some cases, file upload is allowed by unauthenticated users on the website itself (e.g. as attachments through the popular "userforms" module).
Files have titles which are different from their filenames. By default, these titles can only be edited in the CMS. When files are uploaded by unauthenticated users, it is common practice to derive the file title from the sanitised file name, which is not vulnerable to the same XSS flaw.
CWP CVSS Score: 4.9
Thanks to Bot Kotatu for reporting
-
CVE-2019-12617 Access escalation for CMS users with limited access through permission cache pollution
- Severity:
- Medium (?)
- Identifier:
- CVE-2019-12617
- Versions Affected:
- ^4.3
- Versions Fixed:
- 4.3.5, 4.4.4
- Release Date:
- 2019-09-24
Due to incorrectly shared caches between files and page content, CMS users with different permissions for these object types could gain more access than defined by the system. This depends on a specific access sequence, as well as the underlying records having similar characteristics (database identifier). For example, CMS users with readonly access to files, but edit access to page content, could end up with edit access to certain files.
Base CVSS Score: 5.0
CWP Environmental Score: 5.0
Thanks to Serge Latyntcev for reporting this issue.
-
CVE-2019-12245: Incorrect access control vulnerability in files uploaded to protected folders
- Severity:
- Medium (?)
- Identifier:
- CVE-2019-12245
- Versions Affected:
- silverstripe/assets ^1.0
- Versions Fixed:
- 1.3.5, 1.4.4
- Release Date:
- 2019-09-24
An issue has been found where using the Upload PHP API to upload files into a protected folder would set the file's visibility to public, rather than respecting its parent folder permissions.
The silverstripe/userforms module uses this logic to upload files. Folders can be configured by CMS users to be access protected, either through the optional silverstripe/secureassets module in SilverStripe 3.x, or through core functionality in SilverStripe 4.x. If a form has been created in the CMS with an upload to such a protected folder, uploaded files were not protected from public access.
Accessing the files would require knowledge of the exact file URL, which is further complicated by the content hash added to each URL before SilverStripe 4.4 (with legacy_filenames=false). Since file URLs aren't listed by default, this reduces the overall impact of the issue.
In addition to applying the patch, files which have already been uploaded to assumed protected folders through userforms will need to be re-protected. This can be achieved by saving the protected folder in admin/assets, which will re-sync files on the filesystem into the correct place (assets/.protected). This workaround is only applicable for folders with a small number of files. For large amounts (many hundreds or thousands), we recommend writing a custom task. Silverstripe will provide a built-in task to remediate this situation in an upcoming hotfix release.
Base CVSS Score: 5.9
CWP CVSS Score: 5.9Thanks to Nicolaas Thiemen (Sunny Side Up) for reporting this issue.
Update 03/03/2020: Revised CVSS from 3.7 to 5.9, added workaround description
-
CVE-2019-12205 Flash Clipboard Reflected XSS
- Severity:
- Medium (?)
- Identifier:
- CVE-2019-12205
- Versions Affected:
- ^3.0, ^4.0
- Versions Fixed:
- 4.3.5, 4.4.4
- Release Date:
- 2019-09-24
Third party library code included in silverstripe/framework (3.x) and silverstripe/admin (4.x) packaged their own documentation, which in turn included a vulnerable SWF file. This file was accessible on SilverStripe websites by default. Older browsers executed SWF directly, and in certain circumstances can expose the document object and associated data (e.g. cookies). Modern browsers often don't bundle or active the Flash plugin by default, or don't allow direct execution of SWF files without them being embedded, which mostly mitigates this vulnerability.
Thanks to Jay Richardson for reporting.
-
CVE-2019-12204 Missing warning on install.php on public webroot can lead to unauthenticated admin access
- Severity:
- Critical (?)
- Identifier:
- CVE-2019-12204
- Versions Affected:
- ^4.1.0
- Versions Fixed:
- 4.3.5, 4.4.4
- Release Date:
- 2019-09-24
SilverStripe 4.x projects might contain a leftover installation file (install.php) which can lead to unauthenticated administrative access to the CMS, as well as changing the site database through changing connection details.
Both SilverStripe 3.x and 4.x projects can be created through a web-based installer that is bundled in both the downloadable archive and composer-based installations. When choosing to run this installer, the process will warn you to remove the installer file upon a successful installation. When this step is skipped, a prominent warning in the CMS ensures that sites aren't deployed in this state. New sites who are built on SilverStripe 4.1 or newer, and have used the new default option of a public webroot will have this file located in
public/install.php
, which does not cause a CMS warning. This puts more responsibility on the developer starting the project to remember to delete this file.When sites are deployed with this file in place, attackers can create administrative users, and change the database connectivity configuration in a way that can affect other visitors of the site as well as CMS users. While there is no known way to reset the website site directly, a user with administrative privileges has access to a large amount of potentially sensitive data in the CMS (e.g. draft content, form submissions).
No user passwords or database credentials (password) are exposed. Projects upgrading from versions of SilverStripe prior to 4.1 are unlikely to be affected due to the prominent warning in the CMS.
Apart from upgrading to the latest supported SilverStripe 4.x release, the easiest mitigation to this potential issue on your site is to remove
public/install.php
. Note for users of SilverStripe Platform and the New Zealand Common Web Platform (CWP): This issue has been fixed on an infrastructure level already, and does not require a CWP recipe upgrade.Reported by Steve Boyd (SilverStripe Ltd)
-
CVE-2019-12203 Session fixation in "change password" form
- Severity:
- Medium (?)
- Identifier:
- CVE-2019-12203
- Versions Affected:
- ^3.6, ^4.0
- Versions Fixed:
- 3.6.8, 3.7.4, 4.3.5, 4.4.4
- Release Date:
- 2019-09-24
Session fixation attack surface has been identified around the change password form.
A potential account hijacking may happen if an attacker has physical access to victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability.
Requires victim to click the password reset link sent to their email. If all the above happens, attackers may reset the password before the real user does that.
Base CVSS Score: 6.5
CWP Environmental Score: 6.5
Special thanks to Stephan Boscu & Liam Stein for reporting this issue.
-
CVE-2019-12149: Potential SQL injection in restfulserver and registry modules
- Severity:
- Medium (?)
- Identifier:
- CVE-2019-12149
- Versions Affected:
- silverstripe/restfulserver:^1.0, silverstripe/restfulserver:^2.0, silverstripe/registry:^2.1
- Versions Fixed:
- silverstripe/restfulserver:1.0.9, silverstripe/restfulserver:2.0.4, silverstripe/restfulserver:2.1.2, silverstripe/registry:2.1.1, silverstripe/registry:2.2.1
- Release Date:
- 2019-06-11
A potential SQL injection vulnerability has been identified in the silverstripe/restfulserver and silverstripe/registry modules which may allow specially crafted user input to be executed as SQL statements. All users of silverstripe/restfulserver are affected. Users of silverstripe/registry will be affected if they have had a developer implement the features of the module, since it is not enabled by default.
Users with a Web Application Firewall (WAF) are typically less affected, since they protect against malicious request payloads by default, however we still advise customers to upgrade their versions of each of these modules at their early convenience. Note that the New Zealand Government Common Web Platform has a WAF.