Versions:

2.4.4 (2010-12-21)

Overview

  • Security: SQL information disclosure in MySQLDatabase
  • Security: XSS in controller handling for missing actions
  • Security: SQL injection with Translatable extension enabled
  • Security: Version number information disclosure
  • Security: Weak entropy in tokens for CSRF protection, autologin, "forgot password" emails and password salts
  • Security: HTTP referer leakage on Security/changepassword
  • Security: CSRF protection bypassed when handling form action requests through controller
  • Improved security of PHPSESSID and byPassStaticCache cookies (setting them to 'httpOnly')

Upgrading Notes

If you're using open_basedir in PHP:

There is a bug in 2.4.4 which breaks open_basedir restriction.

The issue has been fixed in the development 2.4 branch, but you'll need to patch your existing copy of SilverStripe 2.4.4 if this affects you. The error usually occurs when you try logging into the CMS.

It can be fixed by patching your working copy with this change: http://open.silverstripe.org/changeset/115314

Security: SQL information disclosure in MySQLDatabase

Description

The 'showqueries' GET parameter shows all performed SQL queries in the page output. This is intended functionality, but should be limited websites not being in "live mode" (set through Director::set_environment_type(), checked through Director::isLive()). By adding an 'ajax' GET parameter you can circumvent this live check.

See Secunia Advisory: http://secunia.com/advisories/42346/

Solution

Don't circumvent Director::isLive() check in MySQLDatabase

Impact

Information disclosure of potentially sensitive information through SQL query strings.

Reported by

Andrew Lord, Nathaniel McHugh

Patches

Security: XSS in controller handling for missing actions

Description

Controller routing in SilverStripe core doesn't encode error messages for missing URL actions before returning them to the user (see Controller->handleAction()).

This can be reproduced with any URL that doesn't have custom error handling defined through RequestHandler::$url_handlers, which includes all core controllers.

Reproduce with the following URL: http:///Security/%3Cvideo%20src=1%20onerror=%22alert%281%29%22%3E;;

See Secunia Advisory: http://secunia.com/advisories/42346/

Solution

Force Content-Type: text/plain upon output.

Impact

Attackers can craft URLs to change the displayed website behaviour as well as gain access to authenticated cookie information. In case the victim has a permanent login cookie ("Remember me" checkbox), this can lead to CMS access for attackers.

Reported by

Tim Suter, Andrew Horton (http://security-assessment.com)

Patches

Security: SQL injection with Translatable extension enabled

Description

Locale setter methods on i18n and Translatable classes are not sanitizing or whitelisting input, which can lead to SQL injection based on "locale" GET parameters. This behaviour is limited to websites having the (built-in) Translatable extension activated.

Solution

Sanitize locale values in Translatable->augmentSQL() and whitelist locale values in i18n setters.

Impact

High

Affected Versions

  • SilverStripe trunk
  • SilverStripe 2.4.3 or older
  • SilverStripe 2.3.9 or older

Provided by

Pavol Ondras

Patches

Security: Version number information disclosure

SilverStripe exposes version information through static files located in the webroot. As these files have no extension, they are served without processing by most webserver default configurations.

The files are: sapphire/silverstripe_version cms/silverstripe_version

See http://open.silverstripe.org/ticket/5031 See http://secunia.com/advisories/42346/

Solution

Reject web requests to version information through .htaccess for Apache, and web.config for IIS.

Impact

Version Information about the product can be used to craft attacks more specifically.

Reported by

Robert Mac Neil

Patches

Security: Weak entropy in tokens for CSRF protection, autologin, "forgot password" emails and password salts

SilverStripe uses rand(), mt_rand() in combination with uniqid(), substr() and time() to create pseudo-random tokens. Due to the nature of these implementations, the entropy of tokens is low, potentially exposing them to brute force attacks.

Affected functionality:

  • CSRF form protection
  • Member Autologin
  • "Forgot Password" emails
  • Autogenerated salt values for hashed passwords in the Member table

Solution

Use the best available PRNG implementation on the current platform and PHP version (favouring MCRYPT_DEV_URANDOM and openssl_random_pseudo_bytes()).

Impact

Weak entropy can be used for more successful brute force attacks.

Reported by

Andrew Horton (http://security-assessment.com)

Patches

Security: HTTP referer leakage on Security/changepassword

Description

The Security/changepassword URL action can be invoked with a temporary token stored against the member record ("AutoLoginHash"). This token is set when a member requests a new password by email through Security/lostpassword, and cleared upon successful password change.

The token is passed as a GET parameter, which can expose it to HTTP referer leakage, in case the member decides to navigate away from the "change password" form before submitting the form (which would invalidate the token). If the clicked link is an external page, the (still valid) GET parameter will appear in the external site's HTTP referer logs, enabling third parties to take over user accounts.

Note: This is only a problem when Security/changepassword is used without being logged-in.

Solution

Redirect from Security/changepassword/?h=XXX to Security/changepassword and store the token in session instead.

Impact

Takeover of user accounts by third parties with access to HTTP referer logs.

Provided By

Andrew Lord

Patches

Security: CSRF protection bypassed when handling form action requests through controller

Description

The built-in CSRF protection on forms in SilverStripe can be bypassed by routing the action through the controller instead of the form.

Protected: mycontroller/MyForm/?action_doSubmit=1

Unprotected: mycontroller/action_doSubmit

Note: Does not apply to manual CSRF protection in controller actions through SecurityToken->check().

Solution

Developers are encouraged to use Controller::$allowed_actions to limit the actions accessible through URL routing. Methods that need automatic CSRF protection (most form actions) should NOT be included in $allowed_actions, their protection is handled through request handling in the form class itself.

See security documentation for more details.

Impact

Exposes various administrative actions (creating a new page, reverting to draft) to CSRF attacks, in case attackers know the URL a victim has a valid CMS login for.

Provided By

Ingo Schommer

Patches

Changelog

Features and Enhancements

  • [rev:114901] Allow setting secure session cookies when using SSL. Recent change r114567 made this impossible. (thanks simon_w!) (from r114900)
  • [rev:114572] 'bypassStaticCache' cookie set in Versioned is limited to httpOnly flag (no access by JS) to improve clientside security (from r114568)
  • [rev:114571] Session::start() forces PHPSESSID cookies to be httpOnly (no access by JS) to improve clientside security (from r114567)
  • [rev:114499] Added !RandomGenerator for more secure CRSF tokens etc. (from r114497)
  • [rev:114467] PHP requirements in installer now check for date.timezone correctly being set for PHP 5.3.0+. This option is required to be set starting with 5.3.0 and will cause an error during installation if not
  • [rev:114083] Added SS_HTTPResponse->setStatusDescription() as equivalent to setStatusCode(). Added documentation.
  • [rev:113963] Split temp directory check and writability into two checks
  • [rev:113961] #6206 Installer additional checks for module existence by checking _config.php exists, in addition to the directory
  • [rev:113919] Allowing i18nTextCollector to discover entities in templates stored in themes/ directory (thanks nlou) (from r113918)
  • [rev:113871] Update Asset's left and right panels with filders and files after 'Look for new files' was triggered (open #5543)

API Changes

  • [rev:114474] Using i18n::validate_locale() in various Translatable methods to ensure the locale exists (as defined through i18n::$allowed_locales) (from r114470)

Bugfixes

  • [rev:115189] Removing form actions from $allowed_actions in !AssetAdmin, CMSMain, !LeftAndMain - handled through Form->httpSubmission() (from r115185)
  • [rev:115188] Checking for existence of !FormAction in Form->httpSubmission() to avoid bypassing $allowed_actions definitions in controllers containing this form
  • [rev:115188] Checking for $allowed_actions in Form class, through Form->httpSubmission() (from r115182)
  • [rev:115169] Fixed conflicting check of mysite directory with recommendation of removal of _config.php in installer
  • [rev:114941] #6162 CMSMain::publishall() fails when over 30 pages (thanks natmchugh!) (from r114940)
  • [rev:114922] #6219 Director::direct() validation fails for doubly nested file fields (thanks ajshort!) (from r114921)
  • [rev:114823] Installer should check asp_tags is disabled, as it can cause issues with !SilverStripe
  • [rev:114783] Removed switch in !MySQLDatabase->query() to directly echo queries with 'showqueries' parameter when request is called via ajax (from r114782)
  • [rev:114774] Disallow web access to sapphire/silverstripe_version to avoid information leakage (from r114773)
  • [rev:114771] Disallow web access to cms/silverstripe_version to avoid information leakage (from r114770)
  • [rev:114760] Avoid potential referer leaking in Security->changepassword() form by storing Member->!AutoLoginHash in session instead of 'h' GET parameter (from r114758)
  • [rev:114719] Fallback text for "Password" in !ConfirmedPasswordField when no translation found
  • [rev:114683] Populates the page with fake data in order to pass subsequent unit tests
  • [rev:114654] Test if form is the right class (if a class decorates the content controller, this test would break ie sphinx)
  • [rev:114516] Escaping $locale values in Translatable->augmentSQL() in addition to the i18n::validate_locale() input validation (from r114515)
  • [rev:114512] Limiting usage of mcrypt_create_iv() in !RandomGenerator->generateEntropy() to *nix platforms to avoid fatal errors (specically in IIS) (from r114510)
  • [rev:114507] Using !RandomGenerator class in Member->logIn(), Member->autoLogin() and Member->generateAutologinHash() for better randomization of tokens. Increased VARCHAR length of '!RememberLoginToken' and '!AutoLoginHash' fields to 1024 characters to support longer token strings. (from r114504)
  • [rev:114506] Using !RandomGenerator class in !PasswordEncryptor->salt() (from r114503)
  • [rev:114500] Using !RandomGenerator class in !SecurityToken->generate() for more random tokens
  • [rev:114473] Check for valid locale in i18n::set_locale()/set_default_locale()/include_locale_file()/include_by_locale() (as defined in i18n::$allowed_locales). Implicitly sanitizes the data for usage in controllers. (from r114469)
  • [rev:114445] Don't allow HTML formatting in !RequestHandler->httpError() by sending "Content-Type: text/plain" response headers. (from r114444)
  • [rev:114208] Including template /lang folders in i18n::include_by_locale() (implementation started in r113919)
  • [rev:114195] Added !SecurityToken to !PageCommentInterface->!DeleteAllLink() (fixes #6223, thanks Pigeon)
  • [rev:114083] Strip newlines and carriage returns from SS_HTTPResponse->getStatusDescription() (fixes #6222, thanks mattclegg) (from r114082)
  • [rev:114081] Removed double quoting of $where parameter in Translatable::get_existing_content_languages() (fixes #6203, thanks cloph) (from r114080)
  • [rev:114036] Fixed case where !AssetAdmin would throw an error if $links was not an object in !AssetAdmin::getCustomFieldsFor()
  • [rev:113976] #6201 Use of set_include_path() did not always include sapphire paths in some environments
  • [rev:113962] Installer now checks temporary directory is writable, in addition to it being available.
  • [rev:113809] #6197 simon_w: Fixed Internal Server Error when accessing assets on Apache without mod_php.
  • [rev:113692] Avoid reloading CMS form twice after certain saving actions (fixes #5451, thanks muzdowski)

Minor changes

  • [rev:114916] Ensure php5-required.html template shows correct minimum and recommended PHP versions (thanks mattcleg!) (from r114915)
  • [rev:114751] Setting Content-Type to text/plain in various error responses for !RestfulServer (from r114750)
  • [rev:114749] Reverting Member "!AutoLoginHash", "!RememberLoginToken" and "Salt" to their original VARCHAR length to avoid problems with invalidated hashes due to shorter field length (from r114748)
  • [rev:114745] Partially reverted r114744
  • [rev:114744] Reduced VARCHAR length from 1024 to 40 bytes, which fits the sha1 hashes created by !RandomGenerator. 1024 bytes caused problems with index lengths on MySQL (from r114743)
  • [rev:114720] Code formatting change in !ConfirmedPasswordField::__construct()
  • [rev:114454] Added exception handling if !ClassName is null in search results
  • [rev:114334] Checking for class_exists() before !SapphireTest::is_running_tests() to avoid including the whole testing framework, and triggering PHPUnit to run a performance-intensive directory traversal for coverage file blacklists (from r114332)
  • [rev:114079] Reverted r108515
  • [rev:114078] Documentation for Aggregate caching (from r114077)
  • [rev:114062] fixed visual glitch in CMS access tab for IE
  • [rev:114036] Defined $backlinks as an array before adding entries to it
  • [rev:114016] Fixed php tag in !SecurityTokenTest, should be "<?php" not "<?"
  • [rev:113984] Installer now writes "!SetEnv HTTP_MOD_REWRITE On" in .htaccess to be consistent with the original .htaccess file that comes with the phpinstaller project
  • [rev:113968] Fixed PHP strict standard where non-variables cannot be passed by reference
  • [rev:113967] Fixed undefined variable $groupList
  • [rev:113964] Re-use variable instead of check temp folder again
  • [rev:113956] Make sure that Translatable creates a translated parent of !SiteTree only when the parent is not translated (from r113955)
  • [rev:113937] don't trigger notice but Debug::show it
  • [rev:113936] don't trigger notice but Debug::show it
  • [rev:113933] test doesn't fail anymore due to time differences between db and php. The test now issues notices, warnings and errors depending on the severity of the offset
  • [rev:113924] Fixed spaces with tabs in Core
  • [rev:113923] Fixed spaces with tabs for Core::getTempFolder()
  • [rev:113696] call jquery-ui from thirdparty folder instead google api (see ticket 5915) (from r113656)
  • [rev:113695] Typo in !AssetAdmin (fixes #6191, thanks Juanitou)
  • [rev:113690] Updated cs_CZ and sk_SK translations in sapphire/javascript (fixes #6085, thanks Pike)
  • [rev:113689] Making some !JavaScript strings in cms/javascript translatable, and updated their cs_CZ and sk_SK translations (fixes #6085, thanks Pike)

Other

  • [rev:114464] FIX: Revert last commit
  • [rev:114463] FIX: Revert last commit

Was this article helpful?