SS-2014-018: Open file permissions vulnerability
- Severity:
- High (?)
- Identifier:
- SS-2014-018
- Versions Affected:
- 3.1
- Versions Fixed:
- 3.1.9
- Release Date:
- 2015-01-15
The 'edit' & 'delete' actions of UploadField are accessible by unauthenticated users which allows them to alter the file ID in the URL to access any file recorded in the database.
This allows the user unrestricted access to;
- Alter the file or folder name
- Alter the parent folder
- Rename the file
- Change the file owner
- Delete the file or folder
This can be performed on any UploadField used on the front-end unless custom logic has been applied to the File class via a DataExtension which implements the canEdit method.
UploadField's in the admin section are also affected but can only be accessed by users who have access to the admin section and have access to an UploadField.
Workaround: 3.1.8 and older
In the immediate term user code can be patched to fix this vulnerability prior to the 3.1.9 release. The following two files should be created (and customised) as necessary.
In mysite/_config/security.yml put the following:
---
Name: filesecurity
---
File:
extensions:
- FileSecurityExtension
In mysite/code/FileSecurityExtension.php put the following
<?php
class FileSecurityExtension extends DataExtension {
public function canEdit($member) {
return Permission::checkMember($member, 'CMS_ACCESS_AssetAdmin');
// Or replace with the appropriate permission code
}
}