This document contains information for an outdated version (3.0) and may not be maintained any more.

If some of your projects still use this version, consider upgrading as soon as possible.

3.0.4 (2013-02-19)

Overview

  • Security: Undefined or empty $allowed_actions overrides parent definitions
  • Security: Information leakage through web access on YAML configuration files
  • Security: Information leakage through web access on composer files
  • Security: Require ADMIN permissions for ?showtemplate=1
  • Security: Reflected XSS in custom date/time formats in admin/security
  • Security: Stored XSS in the "New Group" dialog
  • Security: Reflected XSS in CMS status messages
  • API: More restrictive $allowed_actions checks for Controller when used with Extension
  • Changed dev/tests/setdb and dev/tests/startsession from session to cookie storage.

Details

Security: Undefined or empty $allowed_actions overrides parent definitions

Severity: Important

Description: Controller (and subclasses) failed to enforce $allowed_action restrictions on parent classes if a child class didn't have it explicitly defined, or it is set to an empty array. Since this is the default configuration on Page_Controller, most SilverStripe installations will be affected.

Impact: Depends on the used controller code. For any method with public visibility, the flaw can expose the return value of the method (unless it fails due to wrong arguments). It can also lead to unauthorized or unintended execution of logic, e.g. modifying the state of a database record.

Fix: Apply 3.0.4 update. In addition, we strongly recommend to define $allowed_actions on all controller classes to ensure the intentions are clearly communicated. Read more about $allowed_actions in our "controller" docs.

Reporter: Zann St Pierre

Security: Information exposure through web access on YAML configuration files

Severity: Moderate

Description: YAML files are used to configure the SilverStripe application since its 3.0 release. These files can contain sensitive values such as database and API credentials. By default, the installer still stores database credentials in _config.php files which are safe from web access. So this only concerns configuration values added in your own project, or a third party module.

Resolution: Update your .htaccess file (for Apache), or your web.config file (for IIS) with the new files from the project root, and reapply any customizations you've made. Follow the general upgrade instructions. The nginx installation instructions have also been updated to reflect those changes.

Security: Information exposure through web access on composer files

Severity: Low

Description: Composer is a dependency management tool which can optionally be used to install SilverStripe. The composer.json and composer.lock files are required for its operation, so they are included in the standard release since 3.0.2. These files contain information on the installed versions of core and thirdparty modules, which could be used to target specific versions of SilverStripe.

Resolution: Update your .htaccess file (for Apache), or your web.config file (for IIS) with the new files from the project root, and reapply any customizations you've made. Follow the general upgrade instructions. The nginx installation instructions have also been updated to reflect those changes.

Security: Require ADMIN permissions for ?showtemplate=1

Severity: Low

Description: Avoids information leakage of compiled template data, which might expose some of the internal template logic.

Security: Reflected XSS in custom date/time formats in admin/security

Severity: Low

Prerequisite: An attacker must have access to the admin interface.

Description: When creating a new user on the security page (Security->New User) within the admin interface, the user input is not properly validated and not encoded. A reflected XSS is possible within the DateFormat_custom and TimeFormat_custom fields.

Credits: Andreas Hunkeler (Compass Security AG, http://www.csnc.ch)

Security: Stored XSS in the "New Group" dialog

Severity: Low

Prerequisite: An attacker must have access to the admin interface.

Description: There is a stored XSS vulnerability on the "group" tab on the security page in the admin interface (Security -> Groups -> New Group). It's possible to store a XSS within the group name. Everywhere where these group names are used, the XSS is executed. E.g. "New User" or "New Group".

Credits: Andreas Hunkeler (Compass Security AG, http://www.csnc.ch)

Security: XSS in CMS status messages

Severity: Low

Prerequisite: An attacker must have access to the admin interface.

Description: Any data returned to CMS status messages (Growl-style popovers on top right) was not escaped, allowing XSS e.g. when publishing a page with a specifically crafted "Title" field.

Credits: Andreas Hunkeler (Compass Security AG, http://www.csnc.ch)

API: More restrictive $allowed_actions checks for Controller when used with Extension

Controllers which are extended with $allowed_actions (through an Extension) now deny access to methods defined on the controller, unless this class also has them in its own $allowed_actions definition.

Upgrading

  • If you are using dev/tests/setdb and dev/tests/startsession, you'll need to configure a secure token in order to encrypt the cookie value: Simply run sake dev/generatesecuretoken and add the resulting code to your mysite/_config.php. Note that this functionality now requires the PHP mcrypt extension.

Changelog

API Changes

  • 2013-02-15 2352317 Filter composer files in IIS and Apache rules (fixes #8011) (Ingo Schommer)
  • 2013-02-12 d969e29 Require ADMIN for ?showtemplate=1 (Ingo Schommer)
  • 2013-02-12 45c68d6 Require ADMIN for ?showtemplate=1 (Ingo Schommer)
  • 2013-01-23 c69381c Remove Content-Length setting from HTTPResponse (fixes #8010) (Ingo Schommer)
  • 2012-12-11 10d447e Removed 'make getallmodules', use composer instead (Ingo Schommer)
  • 2012-12-10 efa9ff9 Queries added by DataList::addInnerJoin() and DataList::leftJoin() come after the base joins, not before. (stojg)
  • 2012-12-06 c6b1d4a Storing alternative DB name in cookie rather than session (Ingo Schommer)
  • 2012-11-29 f49f1ff Rename Transliterator to SS_Transliterator to remove conflict with Intl extension (Simon Welsh)
  • 2012-11-19 96e56a8 Removed 'new-project' command (Ingo Schommer)
  • 2012-11-19 8b68644 Moved build tools to new silverstripe-buildtools module (Ingo Schommer)
  • 2012-11-09 22095da Hash autologin tokens before storing in the database. (Mateusz Uzdowski)
  • 2011-03-16 d8bfc0b Added Security::set_login_url() so that you can define an alternative log-in page if you have made one yourself. (Sam Minnee)
  • 2011-03-16 f546979 Add a PermissionFailureException that can be thrown to trigger a log-in. (Sam Minnee)

Features and Enhancements

  • 2013-02-05 f0621cd Added ability to query size of Varchar (Daniel Hensby)
  • 2013-02-01 119d8aa Do not display SilverStripeNavigator_CMSLink when in a LeftAndMain extension not just CMSMain extensions (UndefinedOffset)
  • 2013-01-11 5b450f7 Added replaceExistingFile setting for UploadField. (Sam Minnee)
  • 2013-01-11 cc7318f Added canAttachExisting config option for UploadField. (Sam Minnee)
  • 2013-01-10 5e6f5f9 Allow configuration of send_all_emails_to, ccs_all_emails_to, and bcc_all_emails_to via the config system. (Sam Minnee)
  • 2013-01-09 67c5db3 Global default config for UploadField (Ingo Schommer)
  • 2013-01-09 2dfd427 Restrict upload abilities in UploadField (Ingo Schommer)
  • 2013-01-07 abbee41 Add ReadonlyField::setIncludeHiddenField() (Sam Minnee)
  • 2012-12-07 e8fbfc0 FixtureFactory separated out from YamlFixture (Ingo Schommer)
  • 2012-11-15 e07ae20 Added "phing phpunit" target (Ingo Schommer)
  • 2012-11-09 32f829d Support for Behat tests, and initial set of tests (Ingo Schommer)
  • 2012-11-09 9841d5b Added Behat tests (Ingo Schommer)
  • 2012-10-24 ea2dc9d Add ability to change URL for SS logo in CMS Menu (Loz Calver)
  • 2012-10-16 c4dde90 Allow hashes to be passed as ArrayList items; the will be turned into ArrayData objects. (Sam Minnee)
  • 2011-09-29 2916f20 Improve HTTP caching logic to automatically disable caching for requests that use the session. (Hamish Friedlander)
  • 2011-03-02 c3a3ff4 Added Email::send_all_emails_from() setting. (Sam Minnee)

Bugfixes

  • 2013-02-17 ede3813 Secure composer files from web access (fixes #8011) (Ingo Schommer)
  • 2013-02-17 e21bd49 TimeField respects user choice (fixes #8260) (Ingo Schommer)
  • 2013-02-07 79eacb2 Group->canEdit() correct non-admin checks (fixes #8250) (Ingo Schommer)
  • 2013-02-04 857d8bb Don't escape values on TreeDropdownField readonly views (Ingo Schommer)
  • 2013-02-04 97fbfd3 Respect escaping rules on readonly fields in CMS history view (Ingo Schommer)
  • 2013-02-04 e56a78b updateCMSFields not accepting var by reference (Michael Andrewartha)
  • 2013-02-04 866bb07 validate doesn't take var by reference (Michael Andrewartha)
  • 2013-02-04 1960df8 Strict error warnings on DataExtension (Michael Andrewartha)
  • 2013-01-31 1bb1090 Node updates in IE without non-object error (Ingo Schommer)
  • 2013-01-30 c9f728f Only check the remember token if a user exists (Simon Welsh)
  • 2013-01-24 f574979 Exception handling and email notification mechanism now correctly considers the stacktrace as provided by the exceptionHandler function, instead of attempting to perform a debug_backtrace further down the reporting chain (which ends up generating an unnecessarily nested stacktrace). Debug was cleaned up so that errorHandler and exceptionHandler both act consistently. As a result, the LogErrorEmailFormatter class could be simplified. (Damian Mooyman)
  • 2013-01-23 45eb0f9 PHPUnit latest not working with composer installed builds (Hamish Friedlander)
  • 2013-01-21 5d37d55 Form session message clearing regression (Ingo Schommer)
  • 2013-01-18 0c9b216 Escape the -f argument passed to mail() (Sam Minnee)
  • 2013-01-17 e74ec57 Permission checkbox display on members (fixes #8193) (Ingo Schommer)
  • 2013-01-15 a70df3e PaginatedList deprecated method was calling non-existent method (Jeremy Thomerson)
  • 2013-01-15 014f541 Regression in Form->clearMessage() (fixes #8186) (Ingo Schommer)
  • 2013-01-15 64d3a3d Don't double unescape URLs in history.js (fixes #8170) (Ingo Schommer)
  • 2013-01-15 420c639 Properly show link for showing and hiding class spec in model admin (jean)
  • 2013-01-15 f06ba70 Undefined $allowed_actions overrides parent definitions, stricter handling of $allowed_actions on Extension (Ingo Schommer)
  • 2013-01-11 e020c7b doSave() and doDelete() should use translated singular name (uniun)
  • 2013-01-11 f8758ba Fixed margins so that margin is displayed between preview images and their title. (Sam Minnee)
  • 2013-01-11 2fdd9a3 Allow images attached to UploadFields to be unlinked without File::canEdit() or File::canDelete() permission. (Sam Minnee)
  • 2013-01-11 f4efaee Fix DataObject::get_one() when the classname is passed with improper casing. (Sam Minnee)
  • 2013-01-06 30096ee Keep Member.PasswordEncryption setting on empty passwords (Ingo Schommer)
  • 2013-01-04 f8bbc0a Escape HTML in DropdownField and ListboxField (Ingo Schommer)
  • 2013-01-04 604ede3 Escape HTML in CMS status messages (Ingo Schommer)
  • 2013-01-04 7bb0bbf Fixed XSS in admin/security and "My Profile" forms (Ingo Schommer)
  • 2012-12-21 f0f83b2 Graceful handling of sprintf with too few params in i18n::_t() (Ingo Schommer)
  • 2012-12-19 22efd38 Calling DataObject::relField() on a object with an empty relation list (Stig Lindqvist)
  • 2012-12-18 6aba24b removeRequiredField() should use array_splice() instead of unset() (uniun)
  • 2012-12-18 d5a1c3d SS has problems handling + in URLs. Filter them out. (Mateusz Uzdowski)
  • 2012-12-14 55b611d Hardcoded project name in include_by_locale() (uniun)
  • 2012-12-13 d42c004 Fixed pagination functionality on root assets folder (Niklas Forsdahl)
  • 2012-12-12 639cc02 Fix insert media form inserting images from other UploadFields (fixes #8051) (Loz Calver)
  • 2012-12-11 f431b35 Confirmed Password Field now copies attributes to child fields. (Justin Martin)
  • 2012-12-07 4f63f91 Fixed issue with convertServiceProperty (Marcus Nyeholt)
  • 2012-12-06 1a4eaaa Ensure has length before using string index access. (Simon Elvery)
  • 2012-12-05 205ee42 Make sure a message is set on ValidationException objects. (Simon Elvery)
  • 2012-12-05 c0751df Remove handwritten SQL and use the ORM. (Mateusz Uzdowski)
  • 2012-12-04 0be51a9 Fix ModelAdmin search (fixes #8052) (Ingo Schommer)
  • 2012-12-04 1a4b245 Fix rewriteHashlinks in TabSet (Marcus Nyeholt)
  • 2012-12-04 3478813 Rewrite hashlinks failing on empty a tags (Marcus Nyeholt)
  • 2012-11-26 40a1a35 Namespaces for CmsFormsContext and CmsUiContext are wrong (Kirk Mayo)
  • 2012-11-23 4310718 Insert Media, inserts all previous media (fixes #7545) (UndefinedOffset)
  • 2012-11-23 453d04e Reset DataObject caches in SapphireTest->resetDBSchema() (Ingo Schommer)
  • 2012-11-23 a3cd7dd Force SapphireTest schema reset for extension changes (Ingo Schommer)
  • 2012-11-21 41aec54 Consistently use FormResponse in CMS JavaScript (fixes #8036) (Ingo Schommer)
  • 2012-11-20 8f89aa9 only call filemtime if file exists (Sander van Dragt)
  • 2012-11-16 76c63fe Fixed issue with SQLQuery::lastRow crashing on empty set. Added test cases for lastRow and firstRow. (Damian Mooyman)
  • 2012-11-15 c6fcb08 Video embed from Add Media Feature no longer works (open #8033) (stojg)
  • 2012-11-14 91e48b8 Provide fallback text for translations. (Simon Elvery)
  • 2012-11-12 2657a27 Adjust the handler to jQuery UI 1.9 API change. (Mateusz Uzdowski)
  • 2012-11-12 b6017a7 ArrayList now discards keys of the array passed in and keeps the numerically indexed array sequential. This fixes FirstLast and EvenOdd in templates, and makes ArrayList more consistent, as several methods already discarded the keys. (Andrew O'Neil)
  • 2012-11-12 d58b23d AssetAdmin filter array indices (fixes #8014) (Kirk Mayo)
  • 2012-11-09 434759c Correct redirection URL on deletion in GridFieldDetailForm (Ingo Schommer)
  • 2012-11-08 6882635 Fixing non-object on file upload (Sean Harvey)
  • 2012-11-08 6a69a2f Ensure required lang and css are loaded when using SiteTreeURLSegmentField (Simon Elvery)
  • 2012-02-09 c048a01 Avoid infinite redirection when logging out and when showing a custom login page after displaying the draft version of a page. (jean)
  • 2011-12-12 1e1df8c Improved detection of empty HTMLText fields. (Sam Minnee)
  • 2011-09-30 f41a7d8 Fix issue with not being able to log out on Chrome when caching enabled because of Chrome bug (Hamish Friedlander)
  • 2011-09-01 9a2ba48 Made CSRF-error wording friendlier. (Sam Minnee)
  • 2011-08-31 729bcc9 Don't clear form messages unless forTemplate() is actually called. BUGFIX: Clear session-stored form data as well as form error message. (Sam Minnee)
  • 2011-08-18 5f9348b Ensure that Security views respect redirections triggered by Page_Controller::init() (Sam Minnee)
  • 2011-07-07 b114aa2 Added X-Forwarded-Protocol and User-Agent to Vary header. (Sam Minnee)
  • 2011-05-26 55f3ec1 Added error message fields to default search form (Jean-Fabien)
  • 2011-05-23 7026a48 for date manipulation use the SS_Datetime::now, otherwise it does not respect the mock date. (Mateusz Uzdowski)
  • 2011-05-21 b7a1db7 Set up the test mailer before loading the fixture, in case fixture-creation causes emails to be generated. (Sam Minnee)
  • 2011-04-29 47e037e Removed notice-level error after forms w/ required fields are made readonly. (Sam Minnee)
  • 2011-04-20 33a1fc7 Fixed operation of inlined images in Mailer, when no inlined images actually attached. (Carlos Barberis)
  • 2011-04-18 f8206d1 Prevent notice-level error in Session code when non-array is turned into an array. (Sam Minnee)
  • 2011-03-15 6fcbad1 Updated SilverStripe error handler so that log_errors still works. (Sam Minnee)
  • 2011-03-11 82988d4 Better error message when 401 response is corrupted. (Sam Minnee)

Comments

Comment policy: Please use comments for tips and corrections about the described functionality.
Comments are moderated, we reserve the right to remove comments that are inappropriate or are no longer relevant. Use the Silverstripe Forum to ask questions.

blog comments powered by Disqus