CVE-2019-12245: Incorrect access control vulnerability in files uploaded to protected folders
- Moderate (?)
- Versions Affected:
- silverstripe/assets ^1.0
- Versions Fixed:
- Release Date:
An issue has been found where using the Upload PHP API to upload files into a protected folder would set the file's visibility to public, rather than respecting its parent folder permissions.
The silverstripe/userforms module uses this logic to upload files. Folders can be configured by CMS users to be access protected, either through the optional silverstripe/secureassets module in SilverStripe 3.x, or through core functionality in SilverStripe 4.x. If a form has been created in the CMS with an upload to such a protected folder, uploaded files were not protected from public access.
Accessing the files would require knowledge of the exact file URL, which is further complicated by the content hash added to each URL before SilverStripe 4.4 (with legacy_filenames=false). Since file URLs aren't listed by default, this reduces the overall impact of the issue.
Base CVSS Score: 3.7
CWP CVSS Score: 3.7
Thanks to Nicolaas Thiemen (Sunny Side Up) for reporting this issue.