====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN317
_____________________________________________________________________

DATE                : 14/06/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running silverstripe/framework versions
                               prior to 4.7.4, 4.8.0,
          silverstripe/graphql: versions prior to 3.5.0,, 4.0.0-alpha2,
          symbiote/silverstripe-queuedjobs versions prior to 3.0.2,
            3.1.4, 4.0.7, 4.1.2, 4.2.4, 4.3.3, 4.4.3, 4.5.1, 4.6.4.

=====================================================================
https://www.silverstripe.org/download/security-releases/
_____________________________________________________________________


CVE-2021-25817 XXE Vulnerability in CSSContentParser

Severity:
    Low (?)
Identifier:
    CVE-2021-25817
Versions Affected:
    silverstripe/framework: ^4.0.0
Versions Fixed:
    silverstripe/framework: ^4.7.4, ^4.8.0
Release Date:
    2021-06-08

A developer utility meant for parsing HTML within unit tests can be
vulnerable to XML External Entity (XXE) attacks. When this developer
utility is misused for purposes involving external or user submitted
data in custom project code, it can lead to vulnerabilities such as XSS
on HTML output rendered through this custom code. This is now mitigated
by disabling external entities during parsing.

Base CVSS: 3.3

CWP CVSS: 3.3

Thanks to Wang Zhen and Christopher Darling for reporting.


CVE-2020-26138 FormField with square brackets in field name skips
validation

Severity:
    Low (?)
Identifier:
    CVE-2020-26138
Versions Affected:
    silverstripe/framework: ^3.0.0, ^4.0.0
Versions Fixed:
    silverstripe/framework: ^4.7.4, ^4.8.0
Release Date:
    2021-06-08

FileField with array notation skips validation

The FileField class is commonly used for file upload in custom code on a
Silverstripe website. This field is designed to be used with a single
file upload.

PHP allows for submitting multiple values by adding square brackets to
the field name. When this is done to a FileField, it will be coerced
into allowing multiple files by using this notation. This is not a
supported feature, though nothing is done to prevent this.

In this scenario, validation such as limiting allowed extensions is not
applied, and the FileField->saveInto() behaviour is not triggered. If
custom controller logic is used to process the file uploads, it might
implicitly rely on validation to be provided by the Form system, which
is not the case.

Note this issue is for the FileField, not the UploadField which is used
within the CMS.

Example:

public function MyForm()
{
  $fields = FieldList::create(
    FileField::create('MySafeField')->setAllowedExtensions(['pdf']),
    FileField::create('MyUnsafeField[]')->setAllowedExtensions(['pdf'])
  );
  $actions = FieldList::create(
    FormAction::create('submit')
  );
  $validator = RequiredFields::create('MySafeField', 'MyUnsafeField');
  return Form::create($this, 'Form', $fields, $actions, $validator);
}

public function submit($data, $form)
{
  $data['MyUnsafeField'] // not validated
  $_FILES['MyUnsafeField'] // not validated
}

Base CVSS: 3.4

CWP CVSS: 3.4

Reporters: Dylan Wagstaff from Silverstripe Ltd


CVE-2020-26136 GraphQL doesn't honour MFA when using basic auth

Severity:
    Moderate (?)
Identifier:
    CVE-2020-26136
Versions Affected:
    silverstripe/graphql: ^3.0.0, ^4.0.0-alpha1
Versions Fixed:
    silverstripe/graphql: ^3.5.0, ^4.0.0-alpha2
Release Date:
    2021-06-08

The GraphQL module accepts basic-auth as an authentication method by
default. This can be used to bypass MFA authentication if the
silverstripe/mfa module is installed, which is now a commonly installed
module. A users password is still required though.

Basic-auth has been removed as a default authentication method. It
desired, it can be re-enabled by adding it to the authenticators key of
a schema, or on SilverStripe\Graphql\Auth\Handler, i.e.

  authenticators:
    -
      class: SilverStripe\GraphQL\Auth\BasicAuthAuthenticator
      priority: 20

Base CVSS: 4.2

CWP CVSS: 4.2

Reporters: Maxime Rainville from Silverstripe Ltd



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================