Security Releases
When potential security holes are discovered in SilverStripe's supported modules, we produce security releases to ensure that you are able to promptly secure your SilverStripe websites (check our security release process). All releases are available on our download page, and are announced on our forums (register to subscribe). Vulnerabilities in releases are disclosed here. Please subscribe to our security release RSS feed and pre-announcement mailing list to stay updated.
-
SS-2015-019: Leaky draft stage risk
- Severity:
- Low (?)
- Identifier:
- SS-2015-019
- Versions Affected:
- 3.2 and below
- Versions Fixed:
- 3.3.0-beta1
- Release Date:
- 2015-12-23
In some cases, user code which applies Versioned extension to DataObjects may expose non-public content, unless an appropriate canView is implemented which checks access for the current stage.
This is a risk in cases that the site is put into staging mode by an unauthenticated user.
In 3.3.0 versioned dataobjects will now automatically have a default security model which denies draft access to public users, and directly blocks access to the stage mode via the querystring.
This is accepted as not a security bug but rather a risk to mitigate common errors in user code which fail to address appropriate permission checks. Please read the security documentation on versioning for more information on how site developers can secure their code.
-
SS-2015-024: Queued jobs serialised data exposure
- Severity:
- Low (?)
- Identifier:
- SS-2015-024
- Versions Affected:
- 2.8.1 and below
- Versions Fixed:
- 2.8.3
- Release Date:
- 2015-11-23
SavedJobData and SavedJobMessages contain php serialised data. There's no point showing these to a CMS Admin as they're not human readable. Worse, it might be insecure, as a malicious CMS Admin might be able to craft a payload thats dangerous to unserialise.
This issue has been resolved by hiding this content, even from administrators.
-
SS-2015-023: Advanced workflow member field exposure
- Severity:
- Low (?)
- Identifier:
- SS-2015-023
- Versions Affected:
- 3.2.1 and below
- Versions Fixed:
- 3.2.3
- Release Date:
- 2015-11-23
By default, the CMS Admin editable template for the NotifyUsers action has access to a large number of fields, including (for instance) Member#Password. This would allow a malicious CMS Admin to extract other admin passwords by adding a template emailing these fields to themselves when other admins trigger the workflow.
A new configuration option `NotifyUsersWorkflowAction.whitelist_template_variables` has been added. When this option is set to true via the Config API then only member fields specified via Member.summary_fields may be accessed.
-
SS-2015-027: HtmlEditor embed url sanitisation
- Severity:
- Low (?)
- Identifier:
- ss-2015-027
- Versions Affected:
- 3.2.0 and below
- Versions Fixed:
- 3.2.1
- Release Date:
- 2015-11-16
"Add from URL" doesn't clearly sanitise URL server side
HtmlEditorField_Toolbar has an action HtmlEditorField_Toolbar#viewfile, which gets called by the CMS when adding a media "from a URL" (i.e. via oembed).
This action gets the URL to add in the GET parameter FileURL. However it doesn't do any URL sanitising server side. The current logic will pass this through to Oembed, which will probably reject most dangerous URLs, but it's possible future changes would break this.
-
SS-2015-026: Form field validation message XSS vulnerability
- Severity:
- High (?)
- Identifier:
- ss-2015-026
- Versions Affected:
- 3.1.15 and below, 3.2.0
- Versions Fixed:
- 3.1.16, 3.2.1
- Release Date:
- 2015-11-16
A high level XSS risk has been identified in the encoding of validation messages in certain FormField classes.
Certain fields such as the NumericField and DropdownField have been identified, but any form field which presents any invalid content as a part of its validation response will be at risk.
Common Vulnerability Scoring System (CVSS) Information
Credit to "Arjun Basnet from Cyber Security Works Pvt.Ltd (http://cybersecurityworks.com/)"
-
SS-2015-025: Request class name exposure on error
- Severity:
- Low (?)
- Identifier:
- SS-2015-025
- Versions Affected:
- 3.1.15 and below, 3.2.0
- Versions Fixed:
- 3.1.16, 3.2.1
- Release Date:
- 2015-11-16
RequestHandler would include the class name in the unstyled 403 & 404 responses. This is a slight information leak that could be used by an attacker.
This issue has been resolved by suppressing these errors on live.
-
SS-2015-022: XML escape RSSFeed $link parameter
- Severity:
- Low (?)
- Identifier:
- SS-2015-022
- Versions Affected:
- 3.1.15 and below, 3.2.0
- Versions Fixed:
- 3.1.16, 3.2.1
- Release Date:
- 2015-11-16
When RSSLink is created it is given a URL which is rendered via $Link in a template, which is not escaped properly.
This was resolved by ensuring that $Link is cast to Varchar, which is XML encoded by default in any template. -
SS-2015-021: Hash rewrite URL filtering
- Severity:
- Medium (?)
- Identifier:
- SS-2015-021
- Versions Affected:
- 3.1.15 and below, 3.2.0
- Versions Fixed:
- 3.1.16, 3.2.1
- Release Date:
- 2015-11-16
When SSViewer rewrites has links, it takes the whole URL after the base and prepends it to the hash. So for http://example.com/foo, links like "#" become "/foo#". This prevents them being interpreted as relative to the base tag (i.e. as "http://example.com/#")
However this URL isn't well filtered, so a URL like http://example.com//evil.com will have it's hash links be rewritten to be "//evil.com#"
This fix has been resolved by pre-filtering $_SERVER['REQUEST_URI'] to clean leading double-slashes which would otherwise denote such urls as protocol-relative links.
-
SS-2015-020: Privilege Escalation Risk in Security Admin
- Severity:
- Low (?)
- Identifier:
- SS-2015-020
- Versions Affected:
- 3.1.14-rc1
- Versions Fixed:
- 3.1.14 stable
- Release Date:
- 2015-09-15
A member with the permission EDIT_PERMISSIONS is able to re-assign themselves (or another member) to ADMIN level.
Code to protect against this used to be in the TreeMultiselectField, but has since been replaced with the ListboxField. The actual check this invoked was in Member::onChangeGroups.
Thanks to Florian Thoma for reporting.
-
SS-2015-016: XSS in install.php
- Severity:
- Low (?)
- Identifier:
- SS-2015-016
- Versions Affected:
- 3.1.14-rc1 and below
- Versions Fixed:
- 3.1.14 stable
- Release Date:
- 2015-09-15
During installation, certain parameters (admin_username and admin_password) are not escaped in the setup form.
This issue is resolved in 3.1.14 stable, although existing users are advised to remove this file prior to deploying to a production server.
-
SS-2015-015: XSS in dev/build returnURL Parameter
- Severity:
- Low (?)
- Identifier:
- ss-2015-015
- Versions Affected:
- 3.1.14-rc1 and below
- Versions Fixed:
- 3.1.14 stable
- Release Date:
- 2015-09-15
A XSS risk exists in the returnURL parameter passed to dev/build. An unvalidated url could cause the user to redirect to an unverified third party url outside of the site.
This issue is resolved in framework 3.1.14 stable release.
-
SS-2015-018: File upload exposure on UserForms module
- Severity:
- Medium (?)
- Identifier:
- SS-2015-018
- Versions Affected:
- Userforms 3.0.0 beta 1 and below
- Versions Fixed:
- Userforms 3.0.0 final
- Release Date:
- 2015-08-31
The userforms module allows CMS administrators to create public facing forms with file upload abilities. These files are uploaded into a predictable public path on the website, unless configured otherwise by the CMS administrator setting up the form. While the name of the uploaded file itself is not predictable, certain actions taken by CMS authors could expose it. For example, submission notification emails contain a link to the file without authorisation checks.
In 3.0.0 this field is disabled by default, but re-enabled upon installation of the secure assets module. When this is installed, the field can once again be used within a form, and will automatically lock this folder to a secure list of users, which can then be configured further by an administrator.Existing file upload fields will not be disabled, but will require re-enabling via config or installation of secure assets to become editable again.
If any upload field points or is pointed to a folder that is not secured, and the secure assets module is present, then that folder will have the secure permissions applied automatically.
-
SS-2015-017: Forum Module CSRF Vulnerability
- Severity:
- Critical (?)
- Identifier:
- ss-2015-017
- Versions Affected:
- 0.6.1 and below, 0.7.0 to 0.7.3
- Versions Fixed:
- 0.6.2, 0.7.4, 0.8.0
- Release Date:
- 2015-08-10
A number of form actions in the Forum module are directly accessible. A malicious user (e.g. spammer) can use GET requests to create Members and post to forums, bypassing CSRF and anti-spam measures.
Additionally, a forum moderator could be tricked into clicking a specially crafted URL, resulting in a topic being moved.
Thanks to Michael Strong for discovering.
-
SS-2015-014: Vulnerability on "isDev", "isTest" and "flush" $_GET validation
- Severity:
- High (?)
- Identifier:
- SS-2015-014
- Versions Affected:
- 3.0.13 and below, 3.1.0 to 3.1.13-rc1
- Versions Fixed:
- 3.0.14, 3.1.13
- Release Date:
- 2015-05-28
When a secure token parameter is provided to a SilverStripe site (such as isDev or flush) an empty token parameter can be provided in order to bypass normal authentication parameters.
For instance, http://www.mysite.com/?isDev=1&isDevtoken will force a site to dev mode. Alternatively, "flush" could also be used in succession to cause excessive load on a victim site and risk denial of service.
The fix in this case is to ensure that empty tokens fail the validation check.
Download Fix for 3.0 or Download Fix for 3.1
Common Vulnerability Scoring System (CVSS) Information
Credit to Patrick Nelson (https://catchyour.com/) for reporting this issue.
-
SS-2015-013: X-Forwarded-Host request hostname injection
- Severity:
- High (?)
- Identifier:
- SS-2015-013
- Versions Affected:
- 3.1.13-rc1 and below
- Versions Fixed:
- 3.1.13
- Release Date:
- 2015-05-28
A potential hostname injection vulnerability has been found which could allow attackers to alter url resolution.
If a request contains the X-Forwarded-Host HTTP header a website would then use its value in place of the actual HTTP hostname. In cases where caching is enabled, this could allow an attacker to potentially embed a remote url as the base_url for any site. This would then cause other visitors to the site to be redirected unknowingly.
This header is necessary for servers running behind a reverse proxy (such as nginx). Such servers are likely not vulnerable to this risk.
A fix has been merged into the default installer, although existing projects which do not run behind a reverse proxy should update their htaccess as below:
<IfModule mod_headers.c>
# Remove X-Forwarded-Host header sent as a part of any request from the web
RequestHeader unset X-Forwarded-Host
</IfModule>Common Vulnerability Scoring System (CVSS) Information
Thanks to Dariusz Półtorak for identifying this issue.
