CVE-2020-9280 Folders migrated from 3.x may be unsafe to upload to
- Medium (?)
- Versions Affected:
- Versions Fixed:
- silverstripe/assets:1.4.7, silverstripe/assets:1.5.2, silverstripe/framework:4.4.6, silverstripe/assets:4.5.3, silverstripe/userforms:5.4.2, silverstripe/assets:5.5.2
- Release Date:
Files uploaded via Forms to folders migrated from Silverstripe CMS 3.x may be put to the default "/Uploads" folder instead. Uploads performed via the CMS UI are not affected.
This is a security issue because the default "/Uploads" folder is publicly accessible by default, which means unauthorised parties may access the uploaded files via HTTP by guessing the file name.
This affects installations which allowed upload folder protection via the optional silverstripe/secureassets module under 3.x. This module is installed and enabled by default on the Common Web Platform (CWP). The vulnerability only affects files uploaded after an upgrade to 4.x. It does not affect files uploaded before the upgrade. Without this module, the issue manifests as duplicated folders and wrong usage of the default
assets/Uploads folder. In case protections are applied in other ways (e.g. htaccess or proxy rules), this might also lead to the same security issue.
The most common way to generate file uploads outside of the CMS is the silverstripe/userforms module, but this issue has also been confirmed on custom form implementations.
Files in unprotected folders can be surfaced through custom implementations (such as indexing file content through website search). They can also be surfaced by malicious parties gaining access to the direct download link. Since Silverstripe does not allow listing of files to unauthorised users by default, this usually involves guessing file names. How predictable these file names are depends on your user submissions and your particular use case.
To check if you are affected, review all userforms on your website, and check the "upload folder" setting in any "file field" instances. In the "Assets" section, you can check if this folder has protections applied to it. Follow the same process for any custom form implementations in your project.
Read the Silverstripe CMS 4.4.6 changelogs for detailed steps on applying the patch and running related migration tasks.
Base CVSS: 5.9
CWP CVSS: 5.9
Reporter: Ingo Schommer, Lead Product Architect, Silverstripe Ltd.