mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 12:05:37 +00:00
e9d88dd8ee
Rebased on 3.1
364 lines
17 KiB
Markdown
364 lines
17 KiB
Markdown
# 2.4.4 (2010-12-21)
|
|
|
|
## Overview
|
|
|
|
* Security: SQL information disclosure in MySQLDatabase
|
|
* Security: XSS in controller handling for missing actions
|
|
* Security: SQL injection with Translatable extension enabled
|
|
* Security: Version number information disclosure
|
|
* Security: Weak entropy in tokens for CSRF protection, autologin, "forgot password" emails and password salts
|
|
* Security: HTTP referer leakage on Security/changepassword
|
|
* Security: CSRF protection bypassed when handling form action requests through controller
|
|
* Improved security of PHPSESSID and byPassStaticCache cookies (setting them to 'httpOnly')
|
|
|
|
## Upgrading Notes
|
|
|
|
### If you're using open_basedir in PHP:
|
|
|
|
There is a bug in 2.4.4 which breaks open_basedir restriction.
|
|
|
|
The issue has been fixed in the development 2.4 branch, but you'll need to patch your existing copy of SilverStripe
|
|
2.4.4 if this affects you. The error usually occurs when you try logging into the CMS.
|
|
|
|
It can be fixed by patching your working copy with this change: http://open.silverstripe.org/changeset/115314
|
|
|
|
### Security: SQL information disclosure in MySQLDatabase
|
|
|
|
#### Description
|
|
|
|
The 'showqueries' GET parameter shows all performed SQL queries in the page output.
|
|
This is intended functionality, but should be limited websites not being in "live mode"
|
|
(set through Director::set_environment_type(), checked through Director::isLive()).
|
|
By adding an 'ajax' GET parameter you can circumvent this live check.
|
|
|
|
See Secunia Advisory: http://secunia.com/advisories/42346/
|
|
|
|
#### Solution
|
|
|
|
Don't circumvent Director::isLive() check in MySQLDatabase
|
|
|
|
#### Impact
|
|
|
|
Information disclosure of potentially sensitive information through SQL query strings.
|
|
|
|
#### Reported by
|
|
|
|
Andrew Lord, Nathaniel McHugh
|
|
|
|
#### Patches
|
|
|
|
* trunk: http://open.silverstripe.org/changeset/114782
|
|
* 2.4: http://open.silverstripe.org/changeset/114783
|
|
|
|
|
|
### Security: XSS in controller handling for missing actions
|
|
|
|
#### Description
|
|
|
|
Controller routing in SilverStripe core doesn't encode
|
|
error messages for missing URL actions before returning
|
|
them to the user (see Controller->handleAction()).
|
|
|
|
This can be reproduced with any URL that doesn't
|
|
have custom error handling defined through RequestHandler::$url_handlers,
|
|
which includes all core controllers.
|
|
|
|
Reproduce with the following URL:
|
|
`http://`<your-host>`/Security/%3Cvideo%20src=1%20onerror=%22alert%281%29%22%3E;;`
|
|
|
|
See Secunia Advisory: http://secunia.com/advisories/42346/
|
|
|
|
#### Solution
|
|
|
|
Force Content-Type: text/plain upon output.
|
|
|
|
#### Impact
|
|
|
|
Attackers can craft URLs to change the displayed website behaviour
|
|
as well as gain access to authenticated cookie information.
|
|
In case the victim has a permanent login cookie ("Remember me" checkbox),
|
|
this can lead to CMS access for attackers.
|
|
|
|
#### Reported by
|
|
|
|
Tim Suter, Andrew Horton (http://security-assessment.com)
|
|
|
|
#### Patches
|
|
|
|
* trunk: http://open.silverstripe.org/changeset/114444
|
|
* 2.4: http://open.silverstripe.org/changeset/114751
|
|
|
|
|
|
### Security: SQL injection with Translatable extension enabled
|
|
|
|
#### Description
|
|
|
|
Locale setter methods on i18n and Translatable classes are not sanitizing or whitelisting input,
|
|
which can lead to SQL injection based on "locale" GET parameters. This behaviour
|
|
is limited to websites having the (built-in) Translatable extension activated.
|
|
|
|
#### Solution
|
|
|
|
Sanitize locale values in Translatable->augmentSQL() and whitelist
|
|
locale values in i18n setters.
|
|
|
|
#### Impact
|
|
|
|
High
|
|
|
|
#### Affected Versions
|
|
|
|
* SilverStripe trunk
|
|
* SilverStripe 2.4.3 or older
|
|
* SilverStripe 2.3.9 or older
|
|
|
|
#### Provided by
|
|
|
|
Pavol Ondras
|
|
|
|
#### Patches
|
|
|
|
* trunk: http://open.silverstripe.org/changeset/114515
|
|
* 2.4: http://open.silverstripe.org/changeset/114516
|
|
* 2.3: http://open.silverstripe.org/changeset/114517
|
|
|
|
|
|
### Security: Version number information disclosure
|
|
|
|
SilverStripe exposes version information through
|
|
static files located in the webroot. As these files
|
|
have no extension, they are served without processing
|
|
by most webserver default configurations.
|
|
|
|
The files are:
|
|
sapphire/silverstripe_version
|
|
cms/silverstripe_version
|
|
|
|
See http://open.silverstripe.org/ticket/5031
|
|
See http://secunia.com/advisories/42346/
|
|
|
|
#### Solution
|
|
|
|
Reject web requests to version information through .htaccess for Apache, and web.config for IIS.
|
|
|
|
#### Impact
|
|
|
|
Version Information about the product can be used to craft attacks more specifically.
|
|
|
|
#### Reported by
|
|
|
|
Robert Mac Neil
|
|
|
|
#### Patches
|
|
|
|
* trunk: http://open.silverstripe.org/changeset/114774 http://open.silverstripe.org/changeset/114770
|
|
* 2.4: http://open.silverstripe.org/changeset/114774 http://open.silverstripe.org/changeset/114771
|
|
* 2.3: http://open.silverstripe.org/changeset/114776 http://open.silverstripe.org/changeset/114772
|
|
|
|
|
|
### Security: Weak entropy in tokens for CSRF protection, autologin, "forgot password" emails and password salts
|
|
|
|
SilverStripe uses rand(), mt_rand() in combination with
|
|
uniqid(), substr() and time() to create pseudo-random tokens.
|
|
Due to the nature of these implementations, the entropy
|
|
of tokens is low, potentially exposing them to brute force attacks.
|
|
|
|
Affected functionality:
|
|
|
|
* CSRF form protection
|
|
* Member Autologin
|
|
* "Forgot Password" emails
|
|
* Autogenerated salt values for hashed passwords in the Member table
|
|
|
|
#### Solution
|
|
|
|
Use the best available PRNG implementation on the current platform
|
|
and PHP version (favouring MCRYPT_DEV_URANDOM and openssl_random_pseudo_bytes()).
|
|
|
|
#### Impact
|
|
|
|
Weak entropy can be used for more successful brute force attacks.
|
|
|
|
#### Reported by
|
|
|
|
Andrew Horton (http://security-assessment.com)
|
|
|
|
#### Patches
|
|
|
|
* trunk: http://open.silverstripe.org/changeset/114497 http://open.silverstripe.org/changeset/114498
|
|
http://open.silverstripe.org/changeset/114503 http://open.silverstripe.org/changeset/114504
|
|
http://open.silverstripe.org/changeset/114505
|
|
* 2.4: http://open.silverstripe.org/changeset/114499 http://open.silverstripe.org/changeset/114500
|
|
http://open.silverstripe.org/changeset/114506 http://open.silverstripe.org/changeset/114507
|
|
* 2.3: http://open.silverstripe.org/changeset/114501 http://open.silverstripe.org/changeset/114502
|
|
http://open.silverstripe.org/changeset/114509
|
|
|
|
|
|
### Security: HTTP referer leakage on Security/changepassword
|
|
|
|
#### Description
|
|
|
|
The Security/changepassword URL action can be invoked with a temporary
|
|
token stored against the member record ("AutoLoginHash"). This token is set
|
|
when a member requests a new password by email through Security/lostpassword,
|
|
and cleared upon successful password change.
|
|
|
|
The token is passed as a GET parameter, which can expose it to HTTP referer
|
|
leakage, in case the member decides to navigate away from the "change password" form
|
|
before submitting the form (which would invalidate the token).
|
|
If the clicked link is an external page, the (still valid) GET parameter will appear
|
|
in the external site's HTTP referer logs, enabling third parties to take over
|
|
user accounts.
|
|
|
|
Note: This is only a problem when Security/changepassword is used without being logged-in.
|
|
|
|
#### Solution
|
|
|
|
Redirect from Security/changepassword/?h=XXX to Security/changepassword
|
|
and store the token in session instead.
|
|
|
|
#### Impact
|
|
|
|
Takeover of user accounts by third parties with access to HTTP referer logs.
|
|
|
|
#### Provided By
|
|
|
|
Andrew Lord
|
|
|
|
#### Patches
|
|
|
|
* trunk: http://open.silverstripe.org/changeset/114758
|
|
* 2.4: http://open.silverstripe.org/changeset/114760
|
|
* 2.3: http://open.silverstripe.org/changeset/114763
|
|
|
|
|
|
### Security: CSRF protection bypassed when handling form action requests through controller
|
|
|
|
#### Description
|
|
|
|
The built-in CSRF protection on forms in SilverStripe can be bypassed
|
|
by routing the action through the controller instead of the form.
|
|
|
|
Protected: mycontroller/MyForm/?action_doSubmit=1
|
|
|
|
Unprotected: mycontroller/action_doSubmit
|
|
|
|
Note: Does not apply to manual CSRF protection in controller actions
|
|
through SecurityToken->check().
|
|
|
|
#### Solution
|
|
|
|
Developers are encouraged to use Controller::$allowed_actions to limit the
|
|
actions accessible through URL routing. Methods that need automatic CSRF
|
|
protection (most form actions) should NOT be included in $allowed_actions,
|
|
their protection is handled through request handling in the form class itself.
|
|
|
|
See [security](/topics/security#limiting_url-access_to_controller_methods) documentation for more details.
|
|
|
|
#### Impact
|
|
|
|
Exposes various administrative actions (creating a new page, reverting to draft)
|
|
to CSRF attacks, in case attackers know the URL a victim has a valid CMS login for.
|
|
|
|
#### Provided By
|
|
|
|
Ingo Schommer
|
|
|
|
#### Patches
|
|
|
|
|
|
* trunk: http://open.silverstripe.org/changeset/115182 http://open.silverstripe.org/changeset/115185
|
|
* 2.4: http://open.silverstripe.org/changeset/115189 http://open.silverstripe.org/changeset/115188
|
|
* 2.3: http://open.silverstripe.org/changeset/115200 http://open.silverstripe.org/changeset/115191
|
|
|
|
|
|
## Changelog
|
|
|
|
### Features and Enhancements
|
|
|
|
* [rev:114901] Allow setting secure session cookies when using SSL. Recent change r114567 made this impossible. (thanks simon_w!) (from r114900)
|
|
* [rev:114572] 'bypassStaticCache' cookie set in Versioned is limited to httpOnly flag (no access by JS) to improve clientside security (from r114568)
|
|
* [rev:114571] Session::start() forces PHPSESSID cookies to be httpOnly (no access by JS) to improve clientside security (from r114567)
|
|
* [rev:114499] Added !RandomGenerator for more secure CRSF tokens etc. (from r114497)
|
|
* [rev:114467] PHP requirements in installer now check for date.timezone correctly being set for PHP 5.3.0+. This option is *required* to be set starting with 5.3.0 and will cause an error during installation if not
|
|
* [rev:114083] Added SS_HTTPResponse->setStatusDescription() as equivalent to setStatusCode(). Added documentation.
|
|
* [rev:113963] Split temp directory check and writability into two checks
|
|
* [rev:113961] #6206 Installer additional checks for module existence by checking _config.php exists, in addition to the directory
|
|
* [rev:113919] Allowing i18nTextCollector to discover entities in templates stored in themes/ directory (thanks nlou) (from r113918)
|
|
* [rev:113871] Update Asset's left and right panels with filders and files after 'Look for new files' was triggered (open #5543)
|
|
|
|
|
|
### API Changes
|
|
|
|
* [rev:114474] Using i18n::validate_locale() in various Translatable methods to ensure the locale exists (as defined through i18n::$allowed_locales) (from r114470)
|
|
|
|
|
|
### Bugfixes
|
|
|
|
* [rev:115189] Removing form actions from $allowed_actions in !AssetAdmin, CMSMain, !LeftAndMain - handled through Form->httpSubmission() (from r115185)
|
|
* [rev:115188] Checking for existence of !FormAction in Form->httpSubmission() to avoid bypassing $allowed_actions definitions in controllers containing this form
|
|
* [rev:115188] Checking for $allowed_actions in Form class, through Form->httpSubmission() (from r115182)
|
|
* [rev:115169] Fixed conflicting check of mysite directory with recommendation of removal of _config.php in installer
|
|
* [rev:114941] #6162 CMSMain::publishall() fails when over 30 pages (thanks natmchugh!) (from r114940)
|
|
* [rev:114922] #6219 Director::direct() validation fails for doubly nested file fields (thanks ajshort!) (from r114921)
|
|
* [rev:114823] Installer should check asp_tags is disabled, as it can cause issues with !SilverStripe
|
|
* [rev:114783] Removed switch in !MySQLDatabase->query() to directly echo queries with 'showqueries' parameter when request is called via ajax (from r114782)
|
|
* [rev:114774] Disallow web access to sapphire/silverstripe_version to avoid information leakage (from r114773)
|
|
* [rev:114771] Disallow web access to cms/silverstripe_version to avoid information leakage (from r114770)
|
|
* [rev:114760] Avoid potential referer leaking in Security->changepassword() form by storing Member->!AutoLoginHash in session instead of 'h' GET parameter (from r114758)
|
|
* [rev:114719] Fallback text for "Password" in !ConfirmedPasswordField when no translation found
|
|
* [rev:114683] Populates the page with fake data in order to pass subsequent unit tests
|
|
* [rev:114654] Test if form is the right class (if a class decorates the content controller, this test would break ie sphinx)
|
|
* [rev:114516] Escaping $locale values in Translatable->augmentSQL() in addition to the i18n::validate_locale() input validation (from r114515)
|
|
* [rev:114512] Limiting usage of mcrypt_create_iv() in !RandomGenerator->generateEntropy() to *nix platforms to avoid fatal errors (specically in IIS) (from r114510)
|
|
* [rev:114507] Using !RandomGenerator class in Member->logIn(), Member->autoLogin() and Member->generateAutologinHash() for better randomization of tokens. Increased VARCHAR length of '!RememberLoginToken' and '!AutoLoginHash' fields to 1024 characters to support longer token strings. (from r114504)
|
|
* [rev:114506] Using !RandomGenerator class in !PasswordEncryptor->salt() (from r114503)
|
|
* [rev:114500] Using !RandomGenerator class in !SecurityToken->generate() for more random tokens
|
|
* [rev:114473] Check for valid locale in i18n::set_locale()/set_default_locale()/include_locale_file()/include_by_locale() (as defined in i18n::$allowed_locales). Implicitly sanitizes the data for usage in controllers. (from r114469)
|
|
* [rev:114445] Don't allow HTML formatting in !RequestHandler->httpError() by sending "Content-Type: text/plain" response headers. (from r114444)
|
|
* [rev:114208] Including template /lang folders in i18n::include_by_locale() (implementation started in r113919)
|
|
* [rev:114195] Added !SecurityToken to !PageCommentInterface->!DeleteAllLink() (fixes #6223, thanks Pigeon)
|
|
* [rev:114083] Strip newlines and carriage returns from SS_HTTPResponse->getStatusDescription() (fixes #6222, thanks mattclegg) (from r114082)
|
|
* [rev:114081] Removed double quoting of $where parameter in Translatable::get_existing_content_languages() (fixes #6203, thanks cloph) (from r114080)
|
|
* [rev:114036] Fixed case where !AssetAdmin would throw an error if $links was not an object in !AssetAdmin::getCustomFieldsFor()
|
|
* [rev:113976] #6201 Use of set_include_path() did not always include sapphire paths in some environments
|
|
* [rev:113962] Installer now checks temporary directory is writable, in addition to it being available.
|
|
* [rev:113809] #6197 simon_w: Fixed Internal Server Error when accessing assets on Apache without mod_php.
|
|
* [rev:113692] Avoid reloading CMS form twice after certain saving actions (fixes #5451, thanks muzdowski)
|
|
|
|
|
|
### Minor changes
|
|
|
|
* [rev:114916] Ensure php5-required.html template shows correct minimum and recommended PHP versions (thanks mattcleg!) (from r114915)
|
|
* [rev:114751] Setting Content-Type to text/plain in various error responses for !RestfulServer (from r114750)
|
|
* [rev:114749] Reverting Member "!AutoLoginHash", "!RememberLoginToken" and "Salt" to their original VARCHAR length to avoid problems with invalidated hashes due to shorter field length (from r114748)
|
|
* [rev:114745] Partially reverted r114744
|
|
* [rev:114744] Reduced VARCHAR length from 1024 to 40 bytes, which fits the sha1 hashes created by !RandomGenerator. 1024 bytes caused problems with index lengths on MySQL (from r114743)
|
|
* [rev:114720] Code formatting change in !ConfirmedPasswordField::__construct()
|
|
* [rev:114454] Added exception handling if !ClassName is null in search results
|
|
* [rev:114334] Checking for class_exists() before !SapphireTest::is_running_tests() to avoid including the whole testing framework, and triggering PHPUnit to run a performance-intensive directory traversal for coverage file blacklists (from r114332)
|
|
* [rev:114079] Reverted r108515
|
|
* [rev:114078] Documentation for Aggregate caching (from r114077)
|
|
* [rev:114062] fixed visual glitch in CMS access tab for IE
|
|
* [rev:114036] Defined $backlinks as an array before adding entries to it
|
|
* [rev:114016] Fixed php tag in !SecurityTokenTest, should be "<?php" not "<?"
|
|
* [rev:113984] Installer now writes "!SetEnv HTTP_MOD_REWRITE On" in .htaccess to be consistent with the original .htaccess file that comes with the phpinstaller project
|
|
* [rev:113968] Fixed PHP strict standard where non-variables cannot be passed by reference
|
|
* [rev:113967] Fixed undefined variable $groupList
|
|
* [rev:113964] Re-use variable instead of check temp folder again
|
|
* [rev:113956] Make sure that Translatable creates a translated parent of !SiteTree only when the parent is not translated (from r113955)
|
|
* [rev:113937] don't trigger notice but Debug::show it
|
|
* [rev:113936] don't trigger notice but Debug::show it
|
|
* [rev:113933] test doesn't fail anymore due to time differences between db and php. The test now issues notices, warnings and errors depending on the severity of the offset
|
|
* [rev:113924] Fixed spaces with tabs in Core
|
|
* [rev:113923] Fixed spaces with tabs for Core::getTempFolder()
|
|
* [rev:113696] call jquery-ui from thirdparty folder instead google api (see ticket 5915) (from r113656)
|
|
* [rev:113695] Typo in !AssetAdmin (fixes #6191, thanks Juanitou)
|
|
* [rev:113690] Updated cs_CZ and sk_SK translations in sapphire/javascript (fixes #6085, thanks Pike)
|
|
* [rev:113689] Making some !JavaScript strings in cms/javascript translatable, and updated their cs_CZ and sk_SK translations (fixes #6085, thanks Pike)
|
|
|
|
|
|
### Other
|
|
|
|
* [rev:114464] FIX: Revert last commit
|
|
* [rev:114463] FIX: Revert last commit |