SS-2014-005: Arbitrary class creation in CMS backend
- Low (?)
- Versions Affected:
- 3.0.9, 3.1.3, and all previous versions
- Versions Fixed:
- 3.0.10, 3.1.4
- Release Date:
By changing the PageType value passed to CMSPageAddController, a user is able to create any arbitrary class. If this class is a DataObject, it will be written to the database. This allows a user to create classes that they should not be able to.
The is fixed by changing CMSMain->getNewItem() to only create classes that are subclasses of the tree_class (SiteTree in most cases).
At this stage, there is no known way to use this for arbitary code execution, or arbitary database access, thus the issue is rated low severity.
Thanks to Simon Welsh for reporting and submitting a patch.