|Name:||SilverStripe 3.5.3 stored WCI|
|Affected:||< 3.4.5, 3.5.0-3.5.3|
|Fixed:||3.4.6, 3.5.4, 3.6.0|
|Prerequisites:||page edit permission|
Proof of Concept
Attacker needs to have a permission to edit a page. Tested with a user with following permissions:
- Access to all CMS sections + Access to 'Pages' section + Access to 'Files' section + Access to 'Reports' section - Access to 'Security' section
- View any page - Edit any page + Change site structure - View draft content
Attacker edits a page and sets the following values:
Page name: New Page <img src=x onerror=alert(1)> Navigation label: New Page <img src=x onerror=alert(1)>
where the attacker's payload is the following:
<img src=x onerror=alert(1)>
Then save the changes by clicking on "Save draft" button. Next, add / edit content and save the draft again.
Payload is executed, when the victim compares different versions of this page, by selecting "History" tag and selects "Compare mode (select two)". When to versions with the attacker's payload is checked, the payload executes allowing the attacker to execute code on victim's browser.
New release was published as a result and vulnerability is patched in SilverStripe 3.4.6, 3.5.4, 3.6.0. Read more from: https://www.silverstripe.org/download/security-releases/ss-2017-004.
- 16.04.2017 | me > developer | vulnerability discovered
- 16.04.2017 | me > developer | sent the report to the developers
- 31.05.2017 | developer > public | new release published
- 02.06.2017 | me > public | details published