Security Releases
When potential security holes are discovered in SilverStripe's supported modules, we produce security releases to ensure that you are able to promptly secure your SilverStripe websites (check our security release process). All releases are available on our download page, and are announced on our forums (register to subscribe). Vulnerabilities in releases are disclosed here. Please subscribe to our security release RSS feed and pre-announcement mailing list to stay updated.
-
SS-2018-010: Member disclosure in login form
- Severity:
- Low (?)
- Identifier:
- SS-2018-010
- Versions Affected:
- >=4.0.0
- Versions Fixed:
- 4.0.4, 4.1.1
- Release Date:
- 2018-05-28
There is a user ID enumeration vulnerability in our brute force error messages.
- Users that don't exist in will never get a locked out message
- Users that do exist, will get a locked out message
This means an attacker can infer or confirm user details that exist in the member table.
This issue has been resolved by ensuring that login attempt logging and lockout process works equivalently for non-existent users as it does for existant users.
This is a regression of SS-2017-002.
Reported by Dan Hensby of SilverStripe.
-
SS-2018-008: BackURL validation bypass with malformed URLs
- Severity:
- High (?)
- Identifier:
- SS-2018-008
- Versions Affected:
- silverstripe/framework:^4.0
- Versions Fixed:
- silverstripe/framework:4.0.4, silverstripe/framework:4.1.1
- Release Date:
- 2018-05-28
A carefully constructed malformed URL can be used to circumvent the offsite redirection protection used on BackURL parameters. This could lead to users entering sensitive data in malicious websites instead of the intended one.
Reported by Mustafa Hasan
-
SS-2018-006: Code execution vulnerability
- Severity:
- High (?)
- Identifier:
- SS-2018-006
- Versions Affected:
- silverstripe/framework:^4.0.3, silverstripe/framework:^4.1.0
- Versions Fixed:
- silverstripe/framework:4.0.4, silverstripe/framework:4.1.1
- Release Date:
- 2018-05-28
There is a vulnerability whereby arbitrary global functions may be executed if malicious user input is passed through to in the second argument of ViewableData::renderWith. This argument resolves associative arrays as template placehoders. This exploit requires that user code has been written which makes use of the second argument in renderWith and where user input is passed directly as a value in an associative array without sanitisation such as Convert::raw2xml().
ViewableData::customise is not vulnerable.
Reported by Logan Woods of Aura Information Security and Josh Leroux of Theory Tank.
-
SS-2018-005: isDev and isTest unguarded
- Severity:
- High (?)
- Identifier:
- SS-2018-005
- Versions Affected:
- silverstripe/framework:^4.0
- Versions Fixed:
- silverstripe/framework:4.0.4, silverstripe/framework:4.1.1
- Release Date:
- 2018-05-28
The URL parameters isDev and isTest are accessible to unauthenticated users who access a SilverStripe website or application. This allows unauthorised users to expose information that is usually hidden on production environments such as verbose errors (including backtraces) and other debugging tools only available to sites running in "dev mode". Core functionality does not expose user data through these methods. Depending on your website configuration, community modules might have added more specific functionality which can be used to either access or alter user data.
We have fixed the usage of isDev and isTest in SilverStripe 4.x, and removed the URL parameters in the next major release of SilverStripe.
Reported by Will Barker at Kindleman
-
SS-2018-004: XSS Vulnerability via WYSIWYG editor
- Severity:
- Low (?)
- Identifier:
- SS-2018-004
- Versions Affected:
- silverstripe/admin:^1.0.3, silverstripe/admin:^1.1.0
- Versions Fixed:
- silverstripe/admin:1.0.4, silverstripe/admin:1.1.1
- Release Date:
- 2018-05-28
It is possible for a bad actor with access to the CMS to make use of onmouseover or onmouseout attributes in the WYSIWYG editor to embed malicious javascript.
Reported by Jeremy Bates at Heyday Digital (for Aura Information Security)
-
SS-2018-001: Privilege Escalation Risk in Member Edit form
- Severity:
- Low (?)
- Identifier:
- SS-2018-001
- Versions Affected:
- silverstripe/framework:^3.5.7, silverstripe/framework:^3.6.0, silverstripe/framework:^4.0.0, silverstripe/framework:^4.1.0
- Versions Fixed:
- silverstripe/framework:3.5.8, silverstripe/framework:3.6.6, silverstripe/framework:4.0.4, silverstripe/framework:4.1.1
- Release Date:
- 2018-05-28
A member with the permission EDIT_PERMISSIONS and access to the "Security" section is able to re-assign themselves (or another member) to ADMIN level.
CMS Fields for the member are constructed using DirectGroups instead of Groups relation which results in bypassing security logic preventing privilege escalation.
Reported by: Worik Stanton
-
SS-2017-010: install.php discloses sensitive data by pre-populating DB credential forms
- Severity:
- High (?)
- Identifier:
- ss-2017-010
- Versions Affected:
- 4.0.0
- Versions Fixed:
- 4.0.1
- Release Date:
- 2017-12-07
When accessing the install.php script it is possible to extract any pre-configured database or default admin account password by viewing the source of the page, and inspecting the `value` property of the password fields.
Sites which do not have install.php deployed are not affected.
-
SS-2017-009: Users inadvertently passing sensitive data to LoginAttempt
- Severity:
- Low (?)
- Identifier:
- ss-2017-009
- Versions Affected:
- 3.5.5 and below, 3.6.0 to 3.6.2, 4.0.0
- Versions Fixed:
- 3.5.6, 3.6.3, 4.0.1
- Release Date:
- 2017-12-07
All user login attempts are logged in the database in the LoginAttempt table. However, this table contains information in plain text, and may possible contain sensitive information, such as user passwords mis-typed into the username field.
In order to address this a one-way hash is applied to the Email field before being stored.
Reported by Loz Calver
-
SS-2017-008: SQL injection in full text search of SilverStripe 4
- Severity:
- Critical (?)
- Identifier:
- ss-2017-008
- Versions Affected:
- 3.5.5 and below, 3.6.0 to 3.6.2, 4.0.0
- Versions Fixed:
- 3.5.6, 3.6.3, 4.0.1
- Release Date:
- 2017-12-07
When performing a fulltext search in SilverStripe 4.0.0 the 'start' querystring parameter is never escaped safely. This exposes a possible SQL injection vulnerability.
The issue exists in 3.5 and 3.6 but is less vulnerable, as SearchForm sanitises these variables prior to passing to mysql.
Reported by Stephan Bauer
-
SS-2017-007: CSV Excel Macro Injection
- Severity:
- Low (?)
- Identifier:
- ss-2017-007
- Versions Affected:
- 3.5.5 and below, 3.6.0 to 3.6.2, 4.0.0
- Versions Fixed:
- 3.5.6, 3.6.3, 4.0.1
- Release Date:
- 2017-12-07
In the CSV export feature of the CMS it's possible for the output to contain macros and scripts, which if imported without sanitisation into software (including Microsoft Excel) may be executed.
In order to safeguard against this threat all potentially executable cell values exported from CSV will be prepended with a literal tab character.
Reported by Ishaq Mohammed
-
SS-2017-006: Session user agent change detection
- Severity:
- Low (?)
- Identifier:
- ss-2017-006
- Versions Affected:
- 3.5.5 and below, 3.6.0 to 3.6.2
- Versions Fixed:
- 3.5.6, 3.6.3
- Release Date:
- 2017-12-07
A security protection device in Session designed to protect session hijacking was not correctly functioning. This function intended to protect user sessions by detecting changes in the User-Agent header, but modifications to this header were not correctly invalidating the user session.
Reported by Patrick Nelson - https://catchyour.com/
-
SS-2017-005: User enumeration via timing attack on login and password reset forms
- Severity:
- Medium (?)
- Identifier:
- SS-2017-005
- Versions Affected:
- 3.5.4 and below to 3.6.1
- Versions Fixed:
- 3.5.5, 3.6.2
- Release Date:
- 2017-09-28
User enumeration is possible by performing a timing attack on the login or password reset pages with user credentials.
Credit to Daniel Hensby (SilverStripe) and Erez Yalon (Checkmarx)
-
SS-2017-004: XSS in page history comparison
- Severity:
- Low (?)
- Identifier:
- SS-2017-004
- Versions Affected:
- 3.4.5 and below, 3.5.0 to 3.5.3
- Versions Fixed:
- 3.4.6, 3.5.4, 3.6.0
- Release Date:
- 2017-05-31
Authenticated user with page edit permission can craft HTML, which when rendered in a page history comparison can execute client scripts.
Credit to Anti Räis for reporting this issue.
-
SS-2017-003: XSS in RedirectorPage
- Severity:
- Low (?)
- Identifier:
- SS-2017-003
- Versions Affected:
- 3.4.5 and below, 3.5.0 to 3.5.3
- Versions Fixed:
- 3.4.6, 3.5.4, 3.6.0
- Release Date:
- 2017-05-31
RedirectorPage will allow users to specify a non-url malicious script as the redirection path without validation. Users which follow this url may allow this script to execute within their browser.
Credit to Wester for reporting this issue.
-
SS-2017-002: Member disclosure in login form
- Severity:
- Low (?)
- Identifier:
- SS-2017-002
- Versions Affected:
- 3.4.5 and below, 3.5.0 to 3.5.3
- Versions Fixed:
- 3.4.6, 3.5.4, 3.6.0
- Release Date:
- 2017-05-31
There is a user ID enumeration vulnerability in our brute force error messages.
- Users that don't exist in will never get a locked out message
- Users that do exist, will get a locked out message
This means an attacker can infer or confirm user details that exist in the member table.
This issue has been resolved by ensuring that login attempt logging and lockout process works equivalently for non-existent users as it does for existant users.