Security Releases

When potential security holes are discovered in SilverStripe's supported modules, we produce security releases to ensure that you are able to promptly secure your SilverStripe websites (check our security release process). All releases are available on our download page, and are announced on our forums (register to subscribe). Vulnerabilities in releases are disclosed here. Please subscribe to our security release RSS feed and pre-announcement mailing list to stay updated.

• SS-2013-002: SQL injection in Versioned.php

  Severity:

  Critical (?)

  Identifier:

  SS-2013-002

  Versions Affected:

  2.4

  Versions Fixed:

  2.4.11

  Release Date:

  2013-08-08

  The archiveDate parameter wasn't correctly escaping user input through URL parameters (download patch)

  Thanks to Dean Jerkovich of NCC Group for reporting.

• SS-2013-001: Require ADMIN for ?flush=1

  Severity:

  High (?)

  Identifier:

  SS-2013-001

  Versions Affected:

  2.4, 3.0, 3.1

  Versions Fixed:

  2.4.11,3.0.6,3.1.0-rc1

  Release Date:

  2013-08-08

  Flushing the various manifests (class, template, config) is performed through a GET parameter (flush=1). Since this action requires more server resources than normal requests, it can facilitate denial-of-service attacks.

  To prevent this, main.php now checks and only allows the flush parameter in the following cases:

  • The environment is in "dev mode"
  • A user is logged in with ADMIN permissions
  • An error occurs during startup

  This applies to both flush=1 and flush=all (technically we only check for the existence of any parameter value) but only through web requests made through main.php - CLI requests, or any other request that goes through a custom start up script will still process all flush requests as normal.

  Thanks to Christopher Tombleson for reporting.

• Undefined or empty `$allowed_actions` overrides parent definitions

  Severity:

  Low (?)

  Versions Affected:

  2.4,3.0

  Versions Fixed:

  2.4.10,3.0.4

  Release Date:

  2013-02-19

• Information exposure through web access on YAML configuration files

  Severity:

  Low (?)

  Versions Affected:

  3.0

  Versions Fixed:

  3.0.4

  Release Date:

  2013-02-19

• Information exposure through web access on composer files

  Severity:

  Low (?)

  Versions Affected:

  3.0

  Versions Fixed:

  3.0.4

  Release Date:

  2013-02-19

• Require ADMIN permissions for ?showtemplate=1

  Severity:

  Low (?)

  Versions Affected:

  3.0

  Versions Fixed:

  3.0.4

  Release Date:

  2013-02-19

• Stored XSS in the "New Group" dialog, XSS in CMS status messages

  Severity:

  Low (?)

  Versions Affected:

  3.0

  Versions Fixed:

  3.0.4

  Release Date:

  2013-02-19

• Older releases

  Severity:

  Low (?)

  Release Date:

  2013-01-01

  5 December 2012

  • SilverStripe v2.4.9 - [Severity: Moderate] More secure "remember me" and "forgot password" token hashing  (details)
    
    

  31 October 2012

  • SilverStripe v2.4.8 - [Severity: Moderate] Redirection to remote URLs, content type checks, install.php remote code execution  (details)

  31 January 2012

  • SilverStripe v2.4.7 - XSS in text transformations on templates and page title saving in CMS (details)
  • SilverStripe v2.3.13 - See 2.4.7 (details)

  18 October 2011

  • SilverStripe v2.4.6 - XSS in anchor links, possible SQL injection with far eastern encodings, possible remote code execution through page comments (details)
  • SilverStripe v2.3.12 - See 2.4.6 (details)

  21 December 2010

  • SilverStripe v2.4.4 - SQL information disclosure, SQL injection in Translatable extension, Cross Site Request Forgery in various CMS interfaces, XSS in controller action handling (details)
  • SilverStripe v2.3.10 - SQL injection in Translatable extension, Cross Site Request Forgery in various CMS interfaces, XSS in controller action handling (details)

  11 November 2010

  • SilverStripe v2.4.3 - Cross Site Request Forgery in various CMS interfaces and page comments, increased file extension upload security through whitelisting (details)
  • SilverStripe v2.3.9 - Cross Site Request Forgery in various CMS interfaces and page comments (details)

  22 September 2010

  • SilverStripe v2.4.2 - Viewing unpublished content, privilege escalation of CMS editors with access to admin/security (details)

  23 July 2010

  • SilverStripe v2.4.1 - File extension checks, installer security, information disclosure through PHP file execution, passwords not encrypted in certain UI actions (details)
  • SilverStripe v2.3.8 - File extension checks, information disclosure through PHP file execution (details)

  18 March 2010

  • SilverStripe v2.3.7 - Privilege escalation exploit, unauthenticated remote removal of index.php under certain conditions

  8 February 2010

  • SilverStripe v2.3.6 - Escaping exploit

  21 January 2010

  • SilverStripe v2.3.5 - Escaping exploit
  • Forum 0.2.5 - Addresses an escaping issue

  8 July 2009

  • Blog Module v0.2.1

  20 March 2009

  • SilverStripe v2.3.1
  • SilverStripe v2.2.4 - designed for maximum compatibility with v2.2.0 - v2.2.3

• SS-2018-007: CSRF vulnerability in graphql

  Severity:

  High (?)

  Identifier:

  SS-2018-007

  Versions Affected:

  silverstripe/graphql:^2.0

  Versions Fixed:

  silverstripe/graphql:2.0.3, silverstripe/graphql:3.0.0

  The GraphQL controller lacked any CSRF protection, meaning authenticated users could be forced or tricked into visiting a URL that would send a GET request to the affected web server that could mutate or destroy data without the user knowing.

  Reported by Mustafa Hasan

• SS-2016-017: SVG Uploads

  Severity:

  Low (?)

  Identifier:

  SS-2016-017

  Versions Affected:

  <=3.6.0

  Versions Fixed:

  3.6.1

  SVG Images uploads can execute arbitrary scripts, and introduces the risk of XSS.

  Upload of files with the .svg extension will be disabled by default.

  
  Discovered by SEC Consult Singapore Pte. Ltd. (https://www.sec-consult.com/)

• Prev
• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11