Security Releases
When potential security holes are discovered in SilverStripe's supported modules, we produce security releases to ensure that you are able to promptly secure your SilverStripe websites (check our security release process). All releases are available on our download page, and are announced on our forums (register to subscribe). Vulnerabilities in releases are disclosed here. Please subscribe to our security release RSS feed and pre-announcement mailing list to stay updated.
-
SS-2018-005: isDev and isTest unguarded
- Severity:
- High (?)
- Identifier:
- SS-2018-005
- Versions Affected:
- silverstripe/framework:^4.0
- Versions Fixed:
- silverstripe/framework:4.0.4, silverstripe/framework:4.1.1
- Release Date:
- 2018-05-28
The URL parameters isDev and isTest are accessible to unauthenticated users who access a SilverStripe website or application. This allows unauthorised users to expose information that is usually hidden on production environments such as verbose errors (including backtraces) and other debugging tools only available to sites running in "dev mode". Core functionality does not expose user data through these methods. Depending on your website configuration, community modules might have added more specific functionality which can be used to either access or alter user data.
We have fixed the usage of isDev and isTest in SilverStripe 4.x, and removed the URL parameters in the next major release of SilverStripe.
Reported by Will Barker at Kindleman
-
SS-2018-004: XSS Vulnerability via WYSIWYG editor
- Severity:
- Low (?)
- Identifier:
- SS-2018-004
- Versions Affected:
- silverstripe/admin:^1.0.3, silverstripe/admin:^1.1.0
- Versions Fixed:
- silverstripe/admin:1.0.4, silverstripe/admin:1.1.1
- Release Date:
- 2018-05-28
It is possible for a bad actor with access to the CMS to make use of onmouseover or onmouseout attributes in the WYSIWYG editor to embed malicious javascript.
Reported by Jeremy Bates at Heyday Digital (for Aura Information Security)
-
SS-2018-001: Privilege Escalation Risk in Member Edit form
- Severity:
- Low (?)
- Identifier:
- SS-2018-001
- Versions Affected:
- silverstripe/framework:^3.5.7, silverstripe/framework:^3.6.0, silverstripe/framework:^4.0.0, silverstripe/framework:^4.1.0
- Versions Fixed:
- silverstripe/framework:3.5.8, silverstripe/framework:3.6.6, silverstripe/framework:4.0.4, silverstripe/framework:4.1.1
- Release Date:
- 2018-05-28
A member with the permission EDIT_PERMISSIONS and access to the "Security" section is able to re-assign themselves (or another member) to ADMIN level.
CMS Fields for the member are constructed using DirectGroups instead of Groups relation which results in bypassing security logic preventing privilege escalation.
Reported by: Worik Stanton
-
SS-2017-010: install.php discloses sensitive data by pre-populating DB credential forms
- Severity:
- High (?)
- Identifier:
- ss-2017-010
- Versions Affected:
- 4.0.0
- Versions Fixed:
- 4.0.1
- Release Date:
- 2017-12-07
When accessing the install.php script it is possible to extract any pre-configured database or default admin account password by viewing the source of the page, and inspecting the `value` property of the password fields.
Sites which do not have install.php deployed are not affected.
-
SS-2017-009: Users inadvertently passing sensitive data to LoginAttempt
- Severity:
- Low (?)
- Identifier:
- ss-2017-009
- Versions Affected:
- 3.5.5 and below, 3.6.0 to 3.6.2, 4.0.0
- Versions Fixed:
- 3.5.6, 3.6.3, 4.0.1
- Release Date:
- 2017-12-07
All user login attempts are logged in the database in the LoginAttempt table. However, this table contains information in plain text, and may possible contain sensitive information, such as user passwords mis-typed into the username field.
In order to address this a one-way hash is applied to the Email field before being stored.
Reported by Loz Calver
-
SS-2017-008: SQL injection in full text search of SilverStripe 4
- Severity:
- Critical (?)
- Identifier:
- ss-2017-008
- Versions Affected:
- 3.5.5 and below, 3.6.0 to 3.6.2, 4.0.0
- Versions Fixed:
- 3.5.6, 3.6.3, 4.0.1
- Release Date:
- 2017-12-07
When performing a fulltext search in SilverStripe 4.0.0 the 'start' querystring parameter is never escaped safely. This exposes a possible SQL injection vulnerability.
The issue exists in 3.5 and 3.6 but is less vulnerable, as SearchForm sanitises these variables prior to passing to mysql.
Reported by Stephan Bauer
-
SS-2017-007: CSV Excel Macro Injection
- Severity:
- Low (?)
- Identifier:
- ss-2017-007
- Versions Affected:
- 3.5.5 and below, 3.6.0 to 3.6.2, 4.0.0
- Versions Fixed:
- 3.5.6, 3.6.3, 4.0.1
- Release Date:
- 2017-12-07
In the CSV export feature of the CMS it's possible for the output to contain macros and scripts, which if imported without sanitisation into software (including Microsoft Excel) may be executed.
In order to safeguard against this threat all potentially executable cell values exported from CSV will be prepended with a literal tab character.
Reported by Ishaq Mohammed
-
SS-2017-006: Session user agent change detection
- Severity:
- Low (?)
- Identifier:
- ss-2017-006
- Versions Affected:
- 3.5.5 and below, 3.6.0 to 3.6.2
- Versions Fixed:
- 3.5.6, 3.6.3
- Release Date:
- 2017-12-07
A security protection device in Session designed to protect session hijacking was not correctly functioning. This function intended to protect user sessions by detecting changes in the User-Agent header, but modifications to this header were not correctly invalidating the user session.
Reported by Patrick Nelson - https://catchyour.com/
-
SS-2017-005: User enumeration via timing attack on login and password reset forms
- Severity:
- Medium (?)
- Identifier:
- SS-2017-005
- Versions Affected:
- 3.5.4 and below to 3.6.1
- Versions Fixed:
- 3.5.5, 3.6.2
- Release Date:
- 2017-09-28
User enumeration is possible by performing a timing attack on the login or password reset pages with user credentials.
Credit to Daniel Hensby (SilverStripe) and Erez Yalon (Checkmarx)
-
SS-2017-004: XSS in page history comparison
- Severity:
- Low (?)
- Identifier:
- SS-2017-004
- Versions Affected:
- 3.4.5 and below, 3.5.0 to 3.5.3
- Versions Fixed:
- 3.4.6, 3.5.4, 3.6.0
- Release Date:
- 2017-05-31
Authenticated user with page edit permission can craft HTML, which when rendered in a page history comparison can execute client scripts.
Credit to Anti Räis for reporting this issue.
-
SS-2017-003: XSS in RedirectorPage
- Severity:
- Low (?)
- Identifier:
- SS-2017-003
- Versions Affected:
- 3.4.5 and below, 3.5.0 to 3.5.3
- Versions Fixed:
- 3.4.6, 3.5.4, 3.6.0
- Release Date:
- 2017-05-31
RedirectorPage will allow users to specify a non-url malicious script as the redirection path without validation. Users which follow this url may allow this script to execute within their browser.
Credit to Wester for reporting this issue.
-
SS-2017-002: Member disclosure in login form
- Severity:
- Low (?)
- Identifier:
- SS-2017-002
- Versions Affected:
- 3.4.5 and below, 3.5.0 to 3.5.3
- Versions Fixed:
- 3.4.6, 3.5.4, 3.6.0
- Release Date:
- 2017-05-31
There is a user ID enumeration vulnerability in our brute force error messages.
- Users that don't exist in will never get a locked out message
- Users that do exist, will get a locked out message
This means an attacker can infer or confirm user details that exist in the member table.
This issue has been resolved by ensuring that login attempt logging and lockout process works equivalently for non-existent users as it does for existant users.
-
SS-2017-001: XSS In page name
- Severity:
- Low (?)
- Identifier:
- SS-2017-001
- Versions Affected:
- 3.5.1 and below
- Versions Fixed:
- 3.4.4, 3.5.2
- Release Date:
- 2017-01-31
Page name `"><svg/onload=alert(/xss/)>` will trigger an XSS alert.
Credit to
Edric Teo
https://smarterbitbybit.com -
SS-2016-016: XSS In CMSSecurity BackURL
- Severity:
- Low (?)
- Identifier:
- SS-2016-016
- Versions Affected:
- 3.1.20 and below, 3.2.0 to 3.2.5, 3.3.0 to 3.3.3
- Versions Fixed:
- 3.1.21, 3.2.6, 3.3.4, 3.4.2, 3.5.0
- Release Date:
- 2016-11-29
In follow up to SS-2016-001 there is yet a minor unresolved fix to incorrectly encoded URL.
Credit: David Júlio for reporting.
-
SS-2016-010: ReadOnly transformation for formfields exploitable
- Severity:
- Low (?)
- Identifier:
- SS-2016-010
- Versions Affected:
- 3.1.20 and below, 3.2.0 to 3.2.5, 3.3.0 to 3.3.3
- Versions Fixed:
- 3.1.21, 3.2.6, 3.3.4, 3.4.2, 3.5.0
- Release Date:
- 2016-11-29
Form fields returning isReadonly() as true are vulnerable to reflected XSS injections. This includes ReadonlyField, LookupField, HTMLReadonlyField, as well as special purpose fields like TimeField_Readonly. Values submitted to through these form fields are not filtered out from the form session data, and might be shown to the user depending on the form behaviour. For example, form validation errors cause the form to re-render with previously submitted values by default.
SilverStripe forms automatically load values from request data (GET and POST), which enables malicious use of URLs if your form uses these fields and doesn't overwrite data on form construction.
Readonly and disabled form fields are already filtered out in Form->saveInto(), so maliciously submitted data on these fields doesn't make it into the database unless you are accessing form values directly in your saving logic.
Discovered by employers of security-assessment.com, division of Dimension Data.