3.7.5
- CVE-2019-19326 Web Cache Poisoning
- CVE-2020-9311 Malicious user profile information can cause login form XSS
CVE-2019-19326 Web Cache Poisoning
Silverstripe sites using HTTP cache headers and HTTP caching proxies (e.g. CDNs) can be susceptible to web cache poisoning through the:
X-Original-UrlHTTP headerX-HTTP-Method-OverrideHTTP header_methodPOST variable.
In order to remedy this vulnerability, Silverstripe Framework 3.7.5 removes native support for these features. While this is technically a semantic versioning breakage, these features are inherently insecure and date back to a time when browsers didn't natively support the full range of HTTP methods. Sites who still require these features will have highly unusual requirements that are best served by a tailored solution.
Re-enabling the support for removed features
These features are best implemented by defining a RequestFilter. Request Filters are similar to the more modern concept of "middleware" as defined by the PSR-15 standard and supported by Silverstripe 4.
The following example illustrate how to implement a RequestFilter that restore support for the X-Original-Url header and the _method POST parameter for request originating from a trusted proxy.
<?php
/**
* This is meant to illustrate how to implement a RequestFilter. It assumes your
* trusted proxy will strip the insecure data from any requests. If you blindly
* copy-paste this in in your code base, you'll simply replicate the vulnerability.
*/
class InsecureRequestProcessor implements RequestFilter
{
public function preRequest(SS_HTTPRequest $request, Session $session, DataModel $model)
{
if (TRUSTED_PROXY) {
$originalUrl = $request->getHeader('X-Original-Url');
if ($originalUrl) {
$request->setUrl($originalUrl);
$_SERVER['REQUEST_URI'] = $originalUrl;
}
$methodOverride = $request->postVar('_method');
$validMethods = ['GET', 'POST', 'PUT', 'DELETE', 'HEAD'];
if ($methodOverride && in_array(strtoupper($methodOverride), $validMethods)) {
$request->setMethod($methodOverride);
}
}
return true;
}
public function postRequest(SS_HTTPRequest $request, SS_HTTPResponse $response, DataModel $model)
{
return true;
}
}To learn more about re-implementing support for the disabled features:
- read How to implement a Request Filter on the Silverstripe documentation
- read how to configure trusted proxies on the Silverstripe documentation
- review RequestFilter interface
To learn more about middleware:
- read the PSR-15: HTTP Server Request Handlers standard
- read the Silverstripe 4 documentation about HTTP Middlewares standard.
Review the CVE-2019-19326 public disclosure
CVE-2020-9311 Malicious user profile information can cause login form XSS
Malicious users with a valid Silverstripe login (usually CMS access) can craft profile information which can lead to XSS for other users through specially crafted login form URLs.
Review the CVE-2020-9311 public disclosure
Change Log
Security
- 2020-07-09 c96e9d2fe Add public disclosure statement to changelog (Maxime Rainville) - See cve-2020-9311
- 2020-05-04 074b28cf9 Add changelog for CVE-2019-19326 (Maxime Rainville) - See cve-2019-19326
- 2020-04-28 98926e4e6 Stop honouring X-HTTP-Method-Override header, X-Original-Url header and _method POST variable. Add SS_HTTPRequest::setHttpMethod(). (Maxime Rainville) - See cve-2019-19326
- 2020-04-23 d3b23e702 Escape First Name when displaying re-login screen (Maxime Rainville) - See cve-2020-9311
Features and Enhancements
- 2019-11-18 54e7223d9 Docs rebuild for compliance with Gatsby (#9316) (Aaron Carlino)