Quitting as a core committer

Effective immediately, I am quitting as a core committer to SilverStripe. I have removed myself from the GitHub groups, the committer’s mailing list and the UserVoice forum.

This decision has been coming for some time now. I have problems with the direction and control of the project as well as the attitude of a parts of the core group. These are becoming more apparent and I feel that I can no longer be associated with the leadership of the project. Continue reading

SilverStripe: XSS in Redirection URL

SilverStripe adivsory identifier: SS-2014-006
Versions Affected: 3.0.9, 3.1.3, and all previous versions.
Notified on: 2014-02-28

Attack Details

By crafting the value passed into Controller->redirect(), usually by setting the redirectURL GET parameter on a page which calls Controller->redirectBack() and if the page being requested has sent output to the browser before the redirect call then the value passed is directly outputted to the browser, allowing for XSS.

If the server has a large enough output buffer that the headers have not been sent to the browser by the time the redirect call is made, then this attack will not work.
Continue reading

SilverStripe: Privileged User Arbitrary Class Creation

SilverStripe adivsory identifier: SS-2014-005
Versions Affected: 3.0.9, 3.1.3, and all previous versions.
Notified on: 2014-02-26

Attack details

By changing the PageType value passed to CMSPageAddController, a user is able to create any arbitrary class. If this class is a DataObject, it is written to the database. This allows a user to create classes that they should not be able to.

As an extension of this, if the class in question has a writeWithoutVersion method – most commonly due to having the Versioned extension applied – then the user is able to set any fields that the class has in common with the fields presented in the CMSMain edit interface.
Continue reading