Security Releases
When potential security holes are discovered in SilverStripe's supported modules, we produce security releases to ensure that you are able to promptly secure your SilverStripe websites (check our security release process). All releases are available on our download page, and are announced on our forums (register to subscribe). Vulnerabilities in releases are disclosed here. Please subscribe to our security release RSS feed and pre-announcement mailing list to stay updated.
-
SS-2018-018: Database credentials disclosure during connection failure
- Severity:
- Medium (?)
- Identifier:
- SS-2018-018
- Versions Affected:
- silverstripe/framework:^3.7, silverstripe/framework:^4.0
- Versions Fixed:
- silverstripe/framework:3.7.1, silverstripe/framework:4.0.5, silverstripe/framework:4.1.3, silverstripe/framework:4.2.2, silverstripe/framework:4.3.0
- Release Date:
- 2018-11-07
When running SilverStripe 3.7 or 4.x in dev mode with the mysqli database driver, there is a potential to disclose the connection details.
We have blacklisted the sensitive parts of the connection information from being included in dev mode stack traces when database errors occur.
Reported by Dylan Wagstaff (SilverStripe Ltd) and Lukas Erni.
-
SS-2018-007: GraphQL lacks CSRF
- Severity:
- Medium (?)
- Identifier:
- SS-2018-007
- Versions Affected:
- >= 4
- Versions Fixed:
- 4.0.5, 4.1.3, 4.2.2, 4.3.0-rc1
- Release Date:
- 2018-11-07
The GraphQL server used by the CMS is exposed to a CSRF vulnerability that allows attackers to force admins to delete all the files on their SilverStripe installation due to the fact that the deletion request is sent without proper validation of the origin of the request or a CSRF token that prevents such acts.
Reported by Mustafa Hasan
-
SS-2018-017: Possible PHP Object Injection via Multi-Value Field Extension
- Severity:
- Medium (?)
- Identifier:
- SS-2018-017
- Versions Affected:
- symbiote/silverstripe-multivaluefield:^3.0
- Versions Fixed:
- symbiote/silverstripe-multivaluefield:3.1.0
- Release Date:
- 2018-07-26
A potential deserialisation vulnerability has been identified in the symbiote/silverstripe-multivaluefield which could allow an attacker to exploit implementations of this module via object injection.
Support for handling PHP objects as values in this module has been deprecated, and the serialisation technique has been switched to using JSON for handling arrays.
As well as this, a potential XSS (cross-site scripting) vulnerability has been identified and remediated.
Reported by Insomnia Security.
-
SS-2018-016: Unsafe SQL Query Construction (Safe Data Source)
- Severity:
- Low (?)
- Identifier:
- SS-2018-016
- Versions Affected:
- silverstripe/subsites:^2.0
- Versions Fixed:
- silverstripe/subsites:2.1.1
- Release Date:
- 2018-07-26
There is a low level potential SQL injection vulnerability in the silverstripe/subsites module has been identified and fixed in version 2.1.1.
Reported by Insomnia Security.
-
SS-2018-014: Dangerous file types in allowed upload
- Severity:
- Low (?)
- Identifier:
- SS-2018-014
- Versions Affected:
- silverstripe/framework:^3.6.5, silverstripe/framework:^4.0.3, silverstripe/framework:^4.1.0
- Versions Fixed:
- silverstripe/framework:3.6.6, silverstripe/framework:4.0.4, silverstripe/framework:4.1.1
- Release Date:
- 2018-06-28
Some potentially dangerous file types exist in File.allowed_extensions which could allow a malicious CMS user to upload files that then get executed in the security context of the website. We have removed the ability to upload .css, .js, .potm, .dotm, .xltm and .jar files in the default configuration. Since allowed_extensions are synced to webserver configuration (in assets/.htaccess) automatically, this will also deny access to any existing uploads with these extensions.
Review our security guidelines for the Common Web Platform and the File Security guide for SilverStripe 4 to find out how to add or remove extensions.
Reported by Insomnia Security.
-
SS-2018-013: Passwords sent back to browsers under some circumstances
- Severity:
- Low (?)
- Identifier:
- SS-2018-013
- Versions Affected:
- silverstripe/framework:^3.5, silverstripe/framework:^4.0.3, silverstripe/framework:^4.1.0
- Versions Fixed:
- silverstripe/framework:3.7.0, silverstripe/framework:4.0.4, silverstripe/framework:4.1.1
- Release Date:
- 2018-06-28
Under some circumstances a form may populate a PasswordField with submitted data, reflecting submitted data back to a user. The user will only see their own submissions for password data, which is not considered best practice. We are not aware of data leaks to other users, devices or sessions.
Reported by Logan Woods at Aura Information Security.
-
SS-2018-015: Vulnerable dependency
- Severity:
- Low (?)
- Identifier:
- SS-2018-015
- Versions Affected:
- silverstripe/comments:^1.3, silverstripe/comments:^2.0
- Versions Fixed:
- silverstripe/comments:3.1.1
- Release Date:
- 2018-05-28
The silverstripe/comments module, the cwp/starter-theme and the cwp/watea-theme include an outdated version of jQuery by default, which contains XSS vulnerabilities if user input is used in certain contexts. Though no known exploit has been found for these in the existing usage, user customisation to these themes could have made them exploitable.
CWP 2.0.0 has been released with the fixed cwp/stater-theme and silverstripe/comments module, and SilverStripe 4.2.0 will be released with the fixed silverstripe-themes/simple theme.
Reported by Insomnia Security.
-
SS-2018-012: Uploaded PHP script execution in assets
- Severity:
- Low (?)
- Identifier:
- SS-2018-012
- Versions Affected:
- silverstripe/framework:^4.0
- Versions Fixed:
- silverstripe/framework:4.0.4, silverstripe/framework:4.1.1
- Release Date:
- 2018-05-28
A weakness in the .htaccess rules preventing requests to uploaded PHP scripts allows PHP scripts that had made their way into the assets directory to be successfully executed through the use of a specially crafted URL. There are protections in place to disallow upload of PHP scripts through the CMS, meaning this weakness does not lead to direct vulnerabilities.
In addition, sites hosted on the New Zealand Common Web Platform or SilverStripe Platform have additional configuration in place which prevents PHP script execution in assets, even in a malicious party manages to upload these into the folder.
Reported by Insomnia Security.
-
SS-2018-011: SQL injection vulnerability
- Severity:
- Medium (?)
- Identifier:
- SS-2018-011
- Versions Affected:
- silverstripe/taxonomy: 1.3.0, 2.0.0
- Versions Fixed:
- silverstripe/taxonomy: 1.3.1, 2.0.1
- Release Date:
- 2018-05-28
There is a vulnerability in silverstripe/taxonomy module that allows SQL injection. This affected controller (TaxonomyDirectoryController) is disabled by default and must be enabled by a developer for the exploit to be possible.
Reported by Insomnia Security.
-
SS-2018-010: Member disclosure in login form
- Severity:
- Low (?)
- Identifier:
- SS-2018-010
- Versions Affected:
- >=4.0.0
- Versions Fixed:
- 4.0.4, 4.1.1
- Release Date:
- 2018-05-28
There is a user ID enumeration vulnerability in our brute force error messages.
- Users that don't exist in will never get a locked out message
- Users that do exist, will get a locked out message
This means an attacker can infer or confirm user details that exist in the member table.
This issue has been resolved by ensuring that login attempt logging and lockout process works equivalently for non-existent users as it does for existant users.
This is a regression of SS-2017-002.
Reported by Dan Hensby of SilverStripe.
-
SS-2018-008: BackURL validation bypass with malformed URLs
- Severity:
- High (?)
- Identifier:
- SS-2018-008
- Versions Affected:
- silverstripe/framework:^4.0
- Versions Fixed:
- silverstripe/framework:4.0.4, silverstripe/framework:4.1.1
- Release Date:
- 2018-05-28
A carefully constructed malformed URL can be used to circumvent the offsite redirection protection used on BackURL parameters. This could lead to users entering sensitive data in malicious websites instead of the intended one.
Reported by Mustafa Hasan
-
SS-2018-006: Code execution vulnerability
- Severity:
- High (?)
- Identifier:
- SS-2018-006
- Versions Affected:
- silverstripe/framework:^4.0.3, silverstripe/framework:^4.1.0
- Versions Fixed:
- silverstripe/framework:4.0.4, silverstripe/framework:4.1.1
- Release Date:
- 2018-05-28
There is a vulnerability whereby arbitrary global functions may be executed if malicious user input is passed through to in the second argument of ViewableData::renderWith. This argument resolves associative arrays as template placehoders. This exploit requires that user code has been written which makes use of the second argument in renderWith and where user input is passed directly as a value in an associative array without sanitisation such as Convert::raw2xml().
ViewableData::customise is not vulnerable.
Reported by Logan Woods of Aura Information Security and Josh Leroux of Theory Tank.
-
SS-2018-005: isDev and isTest unguarded
- Severity:
- High (?)
- Identifier:
- SS-2018-005
- Versions Affected:
- silverstripe/framework:^4.0
- Versions Fixed:
- silverstripe/framework:4.0.4, silverstripe/framework:4.1.1
- Release Date:
- 2018-05-28
The URL parameters isDev and isTest are accessible to unauthenticated users who access a SilverStripe website or application. This allows unauthorised users to expose information that is usually hidden on production environments such as verbose errors (including backtraces) and other debugging tools only available to sites running in "dev mode". Core functionality does not expose user data through these methods. Depending on your website configuration, community modules might have added more specific functionality which can be used to either access or alter user data.
We have fixed the usage of isDev and isTest in SilverStripe 4.x, and removed the URL parameters in the next major release of SilverStripe.
Reported by Will Barker at Kindleman
-
SS-2018-004: XSS Vulnerability via WYSIWYG editor
- Severity:
- Low (?)
- Identifier:
- SS-2018-004
- Versions Affected:
- silverstripe/admin:^1.0.3, silverstripe/admin:^1.1.0
- Versions Fixed:
- silverstripe/admin:1.0.4, silverstripe/admin:1.1.1
- Release Date:
- 2018-05-28
It is possible for a bad actor with access to the CMS to make use of onmouseover or onmouseout attributes in the WYSIWYG editor to embed malicious javascript.
Reported by Jeremy Bates at Heyday Digital (for Aura Information Security)
-
SS-2018-001: Privilege Escalation Risk in Member Edit form
- Severity:
- Low (?)
- Identifier:
- SS-2018-001
- Versions Affected:
- silverstripe/framework:^3.5.7, silverstripe/framework:^3.6.0, silverstripe/framework:^4.0.0, silverstripe/framework:^4.1.0
- Versions Fixed:
- silverstripe/framework:3.5.8, silverstripe/framework:3.6.6, silverstripe/framework:4.0.4, silverstripe/framework:4.1.1
- Release Date:
- 2018-05-28
A member with the permission EDIT_PERMISSIONS and access to the "Security" section is able to re-assign themselves (or another member) to ADMIN level.
CMS Fields for the member are constructed using DirectGroups instead of Groups relation which results in bypassing security logic preventing privilege escalation.
Reported by: Worik Stanton