Security Releases
When potential security holes are discovered in SilverStripe's supported modules, we produce security releases to ensure that you are able to promptly secure your SilverStripe websites (check our security release process). All releases are available on our download page, and are announced on our forums (register to subscribe). Vulnerabilities in releases are disclosed here. Please subscribe to our security release RSS feed and pre-announcement mailing list to stay updated.
-
SS-2017-010: install.php discloses sensitive data by pre-populating DB credential forms
- Severity:
- High (?)
- Identifier:
- ss-2017-010
- Versions Affected:
- 4.0.0
- Versions Fixed:
- 4.0.1
- Release Date:
- 2017-12-07
When accessing the install.php script it is possible to extract any pre-configured database or default admin account password by viewing the source of the page, and inspecting the `value` property of the password fields.
Sites which do not have install.php deployed are not affected.
-
SS-2017-009: Users inadvertently passing sensitive data to LoginAttempt
- Severity:
- Low (?)
- Identifier:
- ss-2017-009
- Versions Affected:
- 3.5.5 and below, 3.6.0 to 3.6.2, 4.0.0
- Versions Fixed:
- 3.5.6, 3.6.3, 4.0.1
- Release Date:
- 2017-12-07
All user login attempts are logged in the database in the LoginAttempt table. However, this table contains information in plain text, and may possible contain sensitive information, such as user passwords mis-typed into the username field.
In order to address this a one-way hash is applied to the Email field before being stored.
Reported by Loz Calver
-
SS-2017-008: SQL injection in full text search of SilverStripe 4
- Severity:
- Critical (?)
- Identifier:
- ss-2017-008
- Versions Affected:
- 3.5.5 and below, 3.6.0 to 3.6.2, 4.0.0
- Versions Fixed:
- 3.5.6, 3.6.3, 4.0.1
- Release Date:
- 2017-12-07
When performing a fulltext search in SilverStripe 4.0.0 the 'start' querystring parameter is never escaped safely. This exposes a possible SQL injection vulnerability.
The issue exists in 3.5 and 3.6 but is less vulnerable, as SearchForm sanitises these variables prior to passing to mysql.
Reported by Stephan Bauer
-
SS-2017-007: CSV Excel Macro Injection
- Severity:
- Low (?)
- Identifier:
- ss-2017-007
- Versions Affected:
- 3.5.5 and below, 3.6.0 to 3.6.2, 4.0.0
- Versions Fixed:
- 3.5.6, 3.6.3, 4.0.1
- Release Date:
- 2017-12-07
In the CSV export feature of the CMS it's possible for the output to contain macros and scripts, which if imported without sanitisation into software (including Microsoft Excel) may be executed.
In order to safeguard against this threat all potentially executable cell values exported from CSV will be prepended with a literal tab character.
Reported by Ishaq Mohammed
-
SS-2017-006: Session user agent change detection
- Severity:
- Low (?)
- Identifier:
- ss-2017-006
- Versions Affected:
- 3.5.5 and below, 3.6.0 to 3.6.2
- Versions Fixed:
- 3.5.6, 3.6.3
- Release Date:
- 2017-12-07
A security protection device in Session designed to protect session hijacking was not correctly functioning. This function intended to protect user sessions by detecting changes in the User-Agent header, but modifications to this header were not correctly invalidating the user session.
Reported by Patrick Nelson - https://catchyour.com/
-
SS-2017-005: User enumeration via timing attack on login and password reset forms
- Severity:
- Medium (?)
- Identifier:
- SS-2017-005
- Versions Affected:
- 3.5.4 and below to 3.6.1
- Versions Fixed:
- 3.5.5, 3.6.2
- Release Date:
- 2017-09-28
User enumeration is possible by performing a timing attack on the login or password reset pages with user credentials.
Credit to Daniel Hensby (SilverStripe) and Erez Yalon (Checkmarx)
-
SS-2017-004: XSS in page history comparison
- Severity:
- Low (?)
- Identifier:
- SS-2017-004
- Versions Affected:
- 3.4.5 and below, 3.5.0 to 3.5.3
- Versions Fixed:
- 3.4.6, 3.5.4, 3.6.0
- Release Date:
- 2017-05-31
Authenticated user with page edit permission can craft HTML, which when rendered in a page history comparison can execute client scripts.
Credit to Anti Räis for reporting this issue.
-
SS-2017-003: XSS in RedirectorPage
- Severity:
- Low (?)
- Identifier:
- SS-2017-003
- Versions Affected:
- 3.4.5 and below, 3.5.0 to 3.5.3
- Versions Fixed:
- 3.4.6, 3.5.4, 3.6.0
- Release Date:
- 2017-05-31
RedirectorPage will allow users to specify a non-url malicious script as the redirection path without validation. Users which follow this url may allow this script to execute within their browser.
Credit to Wester for reporting this issue.
-
SS-2017-002: Member disclosure in login form
- Severity:
- Low (?)
- Identifier:
- SS-2017-002
- Versions Affected:
- 3.4.5 and below, 3.5.0 to 3.5.3
- Versions Fixed:
- 3.4.6, 3.5.4, 3.6.0
- Release Date:
- 2017-05-31
There is a user ID enumeration vulnerability in our brute force error messages.
- Users that don't exist in will never get a locked out message
- Users that do exist, will get a locked out message
This means an attacker can infer or confirm user details that exist in the member table.
This issue has been resolved by ensuring that login attempt logging and lockout process works equivalently for non-existent users as it does for existant users.
-
SS-2017-001: XSS In page name
- Severity:
- Low (?)
- Identifier:
- SS-2017-001
- Versions Affected:
- 3.5.1 and below
- Versions Fixed:
- 3.4.4, 3.5.2
- Release Date:
- 2017-01-31
Page name `"><svg/onload=alert(/xss/)>` will trigger an XSS alert.
Credit to
Edric Teo
https://smarterbitbybit.com -
SS-2016-016: XSS In CMSSecurity BackURL
- Severity:
- Low (?)
- Identifier:
- SS-2016-016
- Versions Affected:
- 3.1.20 and below, 3.2.0 to 3.2.5, 3.3.0 to 3.3.3
- Versions Fixed:
- 3.1.21, 3.2.6, 3.3.4, 3.4.2, 3.5.0
- Release Date:
- 2016-11-29
In follow up to SS-2016-001 there is yet a minor unresolved fix to incorrectly encoded URL.
Credit: David Júlio for reporting.
-
SS-2016-010: ReadOnly transformation for formfields exploitable
- Severity:
- Low (?)
- Identifier:
- SS-2016-010
- Versions Affected:
- 3.1.20 and below, 3.2.0 to 3.2.5, 3.3.0 to 3.3.3
- Versions Fixed:
- 3.1.21, 3.2.6, 3.3.4, 3.4.2, 3.5.0
- Release Date:
- 2016-11-29
Form fields returning isReadonly() as true are vulnerable to reflected XSS injections. This includes ReadonlyField, LookupField, HTMLReadonlyField, as well as special purpose fields like TimeField_Readonly. Values submitted to through these form fields are not filtered out from the form session data, and might be shown to the user depending on the form behaviour. For example, form validation errors cause the form to re-render with previously submitted values by default.
SilverStripe forms automatically load values from request data (GET and POST), which enables malicious use of URLs if your form uses these fields and doesn't overwrite data on form construction.
Readonly and disabled form fields are already filtered out in Form->saveInto(), so maliciously submitted data on these fields doesn't make it into the database unless you are accessing form values directly in your saving logic.
Discovered by employers of security-assessment.com, division of Dimension Data.
-
SS-2016-015: XSS In OptionsetField and CheckboxSetField
- Severity:
- Low (?)
- Identifier:
- ss-2016-015
- Versions Affected:
- 3.1.19, 3.2.4, 3.3.2. 3.4.0
- Versions Fixed:
- 3.1.20, 3.2.5, 3.3.3. 3.4.1
- Release Date:
- 2016-08-15
List of key / value pairs assigned to OptionsetField or CheckboxSetField do not have a default casting assigned to them. The effect of this is a potential XSS vulnerability in lists where either key or value contain unescaped HTML.
-
SS-2016-014: Pre-existing alc_enc cookies log users in if remember me is disabled
- Severity:
- Low (?)
- Identifier:
- ss-2016-014
- Versions Affected:
- 3.1.19, 3.2.4, 3.3.2. 3.4.0
- Versions Fixed:
- 3.1.20, 3.2.5, 3.3.3. 3.4.1
- Release Date:
- 2016-08-15
If remember me is on and users log in with the box checked, if the developer then disabled "remember me" function, any pre-existing cookies will continue to authenticate users.
Reported by Patrick Nelson - https://catchyour.com/
-
SS-2016-013: Member.Name isn't escaped
- Severity:
- Low (?)
- Identifier:
- ss-2016-013
- Versions Affected:
- 3.1.19, 3.2.4, 3.3.2. 3.4.0
- Versions Fixed:
- 3.1.20, 3.2.5, 3.3.3. 3.4.1
- Release Date:
- 2016-08-15
The core template framework/templates/Includes/GridField_print.ss uses "Printed by $Member.Name".
If the currently logged in members first name or surname contain XSS, this prints the raw HTML out, because Member->getName() just returns the raw FirstName + Surname as a string, which is injected directly.
Credit to Matt Peel for reporting.
