SilverStripe Framework and CMS 3.1.11 Security Release

41 views
Skip to first unread message

Damian Mooyman

unread,
Mar 19, 2015, 1:27:49 AM3/19/15
to silverst...@googlegroups.com

A high level security issue has been noted in the SilverStripe CMS.


Issue CVE


SS-2015-008


Severity


Important


Affected version


CMS Module 3.1.0 - 3.1.10, 3.1.11-rc1, 3.0.11 and below


Affected users


Any website which exposes the SiteTree (or subclasses thereof) via the RestfulServer module, or provides CMS access to users with limited content-creation permissions.


Details


By default user permissions are not validated by the SiteTree::canCreate method, unless overridden by user code or via the configuration system.


This vulnerability will allow users, or unauthenticated guests, to create new SiteTree objects in the database. This vulnerability is present when such users are given CMS access via other means, or if there is another mechanism (such as RestfulServer module) which allows model editing and relies on model-level permission checks.


This vulnerability is restricted to the creation of draft or live pages, and does not allow users to edit, publish, or unpublish existing pages.


Cause


Insufficient permission validation in the SiteTree::canCreate method.


Planned Release


A fix for this issue is included in the 3.0.12 and 3.1.11 releases which have been released Thursday 19th of March 2015.


All users should upgrade as possible.


James Cocker

unread,
Mar 19, 2015, 8:29:53 AM3/19/15
to silverst...@googlegroups.com
A side effect of this fix appears to be that any page types with canCreate set to false now appear in the Add page list, but are disabled. Whereas before they wouldn't display in this list.

Lots of people including myself used this method to tidy up the list of page types on the Add page screen, by setting canCreate to false for any page types that we didn't want CMS users to see.

If I update my sites to 3.1.11 suddenly lots of disabled page types are going to clutter up the Add new page type list.


Before (3.1.10):



After (3.1.11):



Is this intended?

If it is, how should we now go about completely hiding page types from the Add New list?

If it isn't intended, can we look at resolving this so that it functions as it did before in this regard?

Many Thanks
James 
Reply all
Reply to author
Forward
0 new messages