SilverStripe: Privileged User Arbitrary Class Creation

SilverStripe adivsory identifier: SS-2014-005
Versions Affected: 3.0.9, 3.1.3, and all previous versions.
Notified on: 2014-02-26

Attack details

By changing the PageType value passed to CMSPageAddController, a user is able to create any arbitrary class. If this class is a DataObject, it is written to the database. This allows a user to create classes that they should not be able to.

As an extension of this, if the class in question has a writeWithoutVersion method – most commonly due to having the Versioned extension applied – then the user is able to set any fields that the class has in common with the fields presented in the CMSMain edit interface.

Performing the attack

CMSPageAddController

Set the Choose where to create this page option to Top Level. Change the value of one of the options of the PageType radio buttons to the class name of the class you want to create. Submit the form.

CMSMain

Create a string using the format new-<classname>-0. For example, new-Member-0would be used to create a new Member object (note: this will not be written to the database as the Member class does not have a writeWithoutVersion method). Change the value of the hidden ID field (it has an ID of Form_EditForm_ID) to this value and submit the form.

PayPal: simon@simon.geek.nz