CVE-2019-12245: Incorrect access control vulnerability in files uploaded to protected folders
- Moderate (?)
- Versions Affected:
- silverstripe/assets ^1.0
- Versions Fixed:
- 1.3.5, 1.4.4
- Release Date:
An issue has been found where using the Upload PHP API to upload files into a protected folder would set the file's visibility to public, rather than respecting its parent folder permissions.
The silverstripe/userforms module uses this logic to upload files. Folders can be configured by CMS users to be access protected, either through the optional silverstripe/secureassets module in SilverStripe 3.x, or through core functionality in SilverStripe 4.x. If a form has been created in the CMS with an upload to such a protected folder, uploaded files were not protected from public access.
Accessing the files would require knowledge of the exact file URL, which is further complicated by the content hash added to each URL before SilverStripe 4.4 (with legacy_filenames=false). Since file URLs aren't listed by default, this reduces the overall impact of the issue.
In addition to applying the patch, files which have already been uploaded to assumed protected folders through userforms will need to be re-protected. This can be achieved by saving the protected folder in admin/assets, which will re-sync files on the filesystem into the correct place (assets/.protected). This workaround is only applicable for folders with a small number of files. For large amounts (many hundreds or thousands), we recommend writing a custom task. Silverstripe will provide a built-in task to remediate this situation in an upcoming hotfix release.
Thanks to Nicolaas Thiemen (Sunny Side Up) for reporting this issue.