unprivileged user can publish a private file in silverstripe/silverstripe-assets

Valid

Reported on

Mar 27th 2022


Description

user who dont have any accesss in file can publish the file and then unauthenticated user can download that file

Proof of Concept

1. From admin account add a new user called user-B as content Authors .
Now give user-B permission in page section only .Dont give files permission .
So, user-B should not access files .

2. Now from admin account goto http://localhost/silverstripe/admin/assets/ and upload a file . dont publish this file .
user-B should not access this file .
lets the file id is 23 .

3. Now goto user-B account and edit any page and attach a file to this page and publish that page .
Here bellow request is sent to server

POST /silverstripe/admin/pages/edit/EditForm/7/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Pjax: CurrentForm,Breadcrumbs
X-Requested-With: XMLHttpRequest
Content-Length: 1925
Origin: http://193.37.215.120
Connection: close
Referer: http://localhost/silverstripe/admin/pages/edit/show/7
Cookie: 

Title=admin-pageNew+Page&URLSegment=admin-pagenew-page&MenuTitle=admin-pageNew+Page&Content=<p><a href="[file_link,id=23]">sd</a><a>mjkhkh</a></p><p>&MetaDescription=&ExtraMeta=&ClassName=Page&ParentID=0&SecurityID=2a6bce172bfb6110234a0460ffecd38ba1bf0ec3&ID=7&AbsoluteLink=http%3A%2F%2Flocalhost%2Fsilverstripe%2Fadmin-pagenew-page%2F&LiveLink=http%3A%2F%2Flocalhost%2Fsilverstripe%2Fadmin-pagenew-page%2F%3Fstage%3DLive&StageLink=http%3A%2F%2F193.37.215.120%2Fsilverstripe%2Fadmin-pagenew-page%2F%3Fstage%3DStage&ArchiveWarningMessage=Warning%3A+This+page+and+all+of+its+child+pages+will+be+unpublished+before+being+sent+to+the+archive.%5Cn%5CnAre+you+sure+you+want+to+proceed%3F&TreeTitle=%3Cspan+class%3D%22jstree-pageicon+page-icon+font-icon-page+class-Page%22%3E%3C%2Fspan%3E%3Cspan+class%3D%22item%22+data-allowedchildren%3D%22%5B%7B%26quot%3BClassName%26quot%3B%3A%26quot%3BPage%26quot%3B%2C%26quot%3BTitle%26quot%3B%3A%26quot%3BPage%26quot%3B%2C%26quot%3BIconClass%26quot%3B%3A%26quot%3Bfont-icon-page%26quot%3B%7D%2C%7B%26quot%3BClassName%26quot%3B%3A%26quot%3BSilverStripe%5C%5CErrorPage%5C%5CErrorPage%26quot%3B%2C%26quot%3BTitle%26quot%3B%3A%26quot%3BError+Page%26quot%3B%2C%26quot%3BIconClass%26quot%3B%3A%26quot%3Bfont-icon-p-error%26quot%3B%7D%2C%7B%26quot%3BClassName%26quot%3B%3A%26quot%3BSilverStripe%5C%5CCMS%5C%5CModel%5C%5CRedirectorPage%26quot%3B%2C%26quot%3BTitle%26quot%3B%3A%26quot%3BRedirector+Page%26quot%3B%2C%26quot%3BIconClass%26quot%3B%3A%26quot%3Bfont-icon-p-redirect%26quot%3B%7D%2C%7B%26quot%3BClassName%26quot%3B%3A%26quot%3BSilverStripe%5C%5CCMS%5C%5CModel%5C%5CVirtualPage%26quot%3B%2C%26quot%3BTitle%26quot%3B%3A%26quot%3BVirtual+Page%26quot%3B%2C%26quot%3BIconClass%26quot%3B%3A%26quot%3Bfont-icon-p-virtual%26quot%3B%7D%5D%22%3Eadmin-pageNew+Page%3C%2Fspan%3E&Action=split&action_publish=1&BackURL=http%3A%2F%2Flocalhost%2Fsilverstripe%2Fadmin%2Fpages%2Fedit%2Fshow%2F7

Here in this request just check the Content parameter value <p><a href="[file_link,id=23]">sd</a><a>mjkhkh</a></p><p> . here user-B attached a file which id is 23 .
After publish the page , above file is also published by user-B .
As user-B dont have permission in files section but still can publish that file using above request by attaching file to a page .

4. Now any external unauthenticated user visit above page will see the file link and can download the file using url like https://localhost/silverstripe/assets/extention_brute.txt .

So, user-B can publish a file even when he does not have permission in files .

Impact

unprivileged user can publish a file when he does not have permission in files .

Impact

publish a private file

We are processing your report and will contact the silverstripe/silverstripe-assets team within 24 hours. 5 months ago
ranjit-git modified the report
5 months ago
We have contacted a member of the silverstripe/silverstripe-assets team and are waiting to hear back 4 months ago
We have sent a follow up to the silverstripe/silverstripe-assets team. We will try again in 7 days. 4 months ago
We have sent a second follow up to the silverstripe/silverstripe-assets team. We will try again in 10 days. 4 months ago
4 months ago

Thanks for submitting this, we have replicated the issue at our end

4 months ago

I wasn't able to fully replicate publishing files, though there was an issue where protected images were viewable to users who should not have been able to see them

Could you please confirm if you'd liked to be acknowledged in the official disclosure? Would crediting you as follows be OK?

ranjit-git via huntr.dev

Regards Steve Boyd Silverstripe Product Developer

ranjit-git
4 months ago

Researcher


@maintainer Yes I am ok with acknowledged.

Jamie Slome
4 months ago

Admin


@maintainer - is this ready to be marked as valid and fixed?

4 months ago

We are still having internal discussions about this one as we have not fully replicated the original issue

Regards Steve Boyd Silverstripe Product Developer

ranjit-git
4 months ago

Researcher


I will send a video poc to reproduce the bug

ranjit-git modified the report
4 months ago
We have sent a third and final follow up to the silverstripe/silverstripe-assets team. This report is now considered stale. 4 months ago
4 months ago

On the video you provided, user11 / bug@localhost.com has the permission "Edit any file" - this essentially means they do have enough permissions to view and publish protected files. Therefore the issue as originally reported where unprivileged users can published protected files isn't accurate.

While investigating this issue though, there was a related issue uncovered where protected images (not files like pdfs though) are able to have be viewed in the CMS to users that shouldn't have permission to view them by sending a XHR request as described. They still cannot publish them to the public asset store though. We have developed a fix internally for this which should be released in a month or two.

We've internally assessed the CVE for this at 3.9, so I'll change the the assessment on this issue accordingly

Regards Steve Boyd Silverstripe Product Developer

4 months ago

Sorry by CVE for this at 3.9 I meant we assessed the CVSS as a 3.9.

Regards Steve Boyd Silverstripe Product Developer

4 months ago

This isn't letting me change the severity from 7.1 (high) to 3.9 (low) - could you please do this for me? I'm happy to confirm this once that's done

Regards Steve Boyd Silverstripe Product Developer

ranjit-git
4 months ago

Researcher


@maintainer

On the video you provided, user11 / bug@localhost.com has the permission "Edit any file" - this essentially means they do have enough permissions to view and publish protected files.  

Sorry i made mistake in that video . user11/bug@localhost.com does not need Edit any File file . i forgot to revoke that permission from user11 . You can revoke that permission and still this bug is produceble . can you plz recalculate the CVSS score . If severity remain same then i will change severity to your provided cvss score

ranjit-git
4 months ago

Researcher


so, user11@bug@localhost.com does not have Files section and Edit any file permission . Now user-B fully unprivileged to publish a file but using this bug he can publish

ranjit-git
4 months ago

Researcher


Pavlos
4 months ago

Admin


@maintainer sorry about the inability to assess the CVSS manually, we will deliver this functionality very soon.

In the meantime can you please tell us what vectors you used that led to a CVSS of 3.1? We will adjust it from our end :)

4 months ago

@ranjit-git - the new video posted is literally just an admin user publishing a file with no special permissions on it.

@pavlos - https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C&version=3.1

Regards Steve Boyd Silverstripe Product Developer

ranjit-git
4 months ago

Researcher


@maintainer I think you did not watched the video carefully. In this video user11 is content-author . I think you might have confused as I recorded the video in same browser. Acttuttly in my firefox browser I uses two account. One for admin in normal mode. Another one is content author in container-1. You might have assumed both account as same

ranjit-git
4 months ago

Researcher


Even you can reproduce the bug yourself . Create a user with content-author permision and then revoke file section permission and revoke edit-any-file permiision. And this user can publish file using this bug .

ranjit-git
4 months ago

Researcher


Just give me another chance I will properly make a video with written. Within hour I will upload a video

ranjit-git
4 months ago

Researcher


VIDEO POC

https://drive.google.com/file/d/1uiMYZYq1XOquuWQLivLUV2a-KMS_1yzx/view

my steps

  1. admin add a user in content-author group .
  2. revoke bellow permission for content-author group File section permission and Edit-Any-File permiision
  3. goto content-author user account and publish the file like in my video

Plz let me know your file decision and final CVSS score .

ranjit-git modified the report
4 months ago
ranjit-git
4 months ago

Researcher


@maintainer i have adjusted your provided cvss score https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C&version=3.1 Plz lt me know if any issue

silverstripe/silverstripe-assets maintainer validated this vulnerability 4 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the silverstripe/silverstripe-assets team. We will try again in 7 days. 3 months ago
We have sent a second fix follow up to the silverstripe/silverstripe-assets team. We will try again in 10 days. 3 months ago
We have sent a third and final fix follow up to the silverstripe/silverstripe-assets team. This report is now considered stale. 3 months ago
2 months ago

@Pavlos

I'd like to mark as fixed, though the fix is in silverstripe/assets, not silverstripe/framework

Fixed in version: 1.10.1

SHA: 5f6a73b010c01587ffbfb954441f6b7cbb54e767

Who should get rewarded for the patch: Nobody

Jamie Slome confirmed that a fix has been merged on 5f6a73 a month ago
The fix bounty has been dropped
Jamie Slome
a month ago

Admin


Sorted 👍

to join this conversation