SilverStripe 3.5.3 stored WCI

Information

Description

Authenticated user with page edit permission can execute JavaScript code on the victim's browser resulting in taking control of the victim's session.

Proof of Concept

Attacker needs to have a permission to edit a page. Tested with a user with following permissions:

CMS Access:

- Access to all CMS sections
+ Access to 'Pages' section
+ Access to 'Files' section
+ Access to 'Reports' section
- Access to 'Security' section

Content permissions:

- View any page
- Edit any page
+ Change site structure
- View draft content

Attacker edits a page and sets the following values:

Page name: New Page <img src=x onerror=alert(1)>
Navigation label: New Page <img src=x onerror=alert(1)>

where the attacker's payload is the following:

<img src=x onerror=alert(1)>

Then save the changes by clicking on "Save draft" button. Next, add / edit content and save the draft again.

Payload is executed, when the victim compares different versions of this page, by selecting "History" tag and selects "Compare mode (select two)". When to versions with the attacker's payload is checked, the payload executes allowing the attacker to execute code on victim's browser.

Impact

Authenticated user can execute JavaScript on the victim's browser possibly allowing to take control of administrators session.

Conclusion

New release was published as a result and vulnerability is patched in SilverStripe 3.4.6, 3.5.4, 3.6.0. Read more from: https://www.silverstripe.org/download/security-releases/ss-2017-004.

Timeline

• 16.04.2017 | me > developer     | vulnerability discovered
• 16.04.2017 | me > developer     | sent the report to the developers
• 31.05.2017 | developer > public | new release published
• 02.06.2017 | me > public        | details published