CVE-2019-19326 Web Cache Poisoning through HTTPRequestBuilder
- Severity:
- Medium (?)
- Identifier:
- CVE-2019-19326
- Versions Affected:
- silverstripe/framework: ^3.0, silverstripe/framework: ^4.0
- Versions Fixed:
- silverstripe/framework: 3.7.5, silverstripe/framework: 4.4.7, silverstripe/framework: 4.5.4, silverstripe/framework: 4.6.0
- Release Date:
- 2020-07-13
Silverstripe CMS sites which have opted into HTTP Cache Headers on responses served by the framework's HTTP layer can be vulnerable to web cache poisoning. Through modifying the X-Original-Url
and X-HTTP-Method-Override
headers, responses with malicious HTTP headers can return unexpected responses to other consumers of this cached response. Most other headers associated with web cache poisoning are already disabled through request hostname forgery whitelists.
Silverstripe CMS also supports an alternative means to override a request's HTTP method by including a _method
parameter in a POST request. This behaves similarly to the X-HTTP-Method-Override
headers and is susceptible to the same vulnerability.
The impact of this vulnerability depends on how you are using request data. The risk potential increases when your site allows user contributed content (such as comments or wiki-style pages).
In addition to public cache headers such as Cache-Control: max-age=<age>
, there needs to be an intermediary HTTP cache between the website user and the server. This role is often filled by Content Delivery Networks (CDNs) and system components such as Varnish, but can also appear in the user's own network path (corporate proxies). See PortSwigger: Web Cache Poisoning for more details on the concept.
If your Silverstripe CMS site requires those headers the work, you may need to take additional step when upgrading. Review the changelog for the version you plan to upgrade to:
- Silverstripe CMS Recipe 3.7.5 changelog
- Silverstripe CMS Recipe 4.4.7 changelog
- Silverstripe CMS Recipe 4.5.3 changelog
- Silverstripe CMS Recipe 4.6.0 changelog
Base CVSS: 5.9
CWP CVSS: 5.9
Reporters:
- memN0ps
- Will Boucher, Pulse Security
- Sabine Degen