Introduction
Silverstripe is a popular open source CMS for creating and maintaining websites. During a recent client engagement, Bastion were able to identify a stored cross-site scripting (XSS) vulnerability within the Silverstripe framework. The issue was raised to Silverstripe and was rated as medium severity (CVE-2024-32981) by the Silverstripe team. This post outlines the technical details of this vulnerability, how it could be exploited and the potential impact for the users and organisations.
The Silverstripe team were responsive and informative throughout the disclosure process, promptly identifying the cause and deploying a fix.
The Vulnerability
The administration panel of Silverstripe can be accessed by users of varying permissions. These permissions are enforced through roles that can be created and assigned by administrator users. For example, a role named publisher would usually be able to edit and publish content, but have no visibility over more privileged actions such as user or role management.
Bastion was able to identify a stored XSS vulnerability that could be exploited by any user with permissions to publish content. By publishing a base64 encoded payload within a content block, a lower privileged user would be able to execute JavaScript within the context of an administrator’s browser when they visit the affected page.
The vulnerability arose due to insufficient server-side validation, and a reliance on client-side validation which was able to be bypassed. When attempting to publish content through the browser, it would be HTML entity encoded, preventing execution. However, if the request to publish content is submitted directly through a tool such as Burp Suite or Curl it would bypass the client-side validation.
The vulnerability could be exploited using a URL encoded version of the below payload submitted within the ‘Content’ parameter of a POST request to edit the content block:
</p><style><img src="</style><img src=x "><object data="data:text/html;base64,IDxzY3JpcHQ+YWxlcnQoJ1hTUycpPC9zY3JpcHQ+Cg=="></object>
This payload utilises the HTML object tag, which is commonly used to embed external content. In this case the external content type is defined as a text/HTML document that is in a base64 encoded format. When a browser attempts to access this external content, it will decode the base64 encoded payload and execute:
<script>alert('XSS')</script>
In this case, an alert dialogue will pop up with the text containing (‘XSS’), as shown in the following image.
Potential Impact
The payload would execute when the relevant page of the public facing site is vistited. As Silverstripe’s administration panel displays a preview when editing pages, this will also execute within the administration panel.
A threat actor that was able to gain access to a lower privileged user on the CMS could craft a payload to escalate their privileges to administrator. This could be achieved through a payload that when executed would create an administrator user or by redirecting an administrator to a phishing page. Accessing the administrators session token would not be viable due to the implementation of the HttpOnly flag.
How To Fix It
Silverstripe has released the patch for all versions affected. More details could be found here.
Vulnerability Disclosure Timeline
- 10/01/2024 - Issue reported to Silverstripe
- 07/05/2024 - Silverstripe confirmed receiving the bug report
- 08/07/2024 - Silverstripe validated the issue
- 18/07/2024 - Patch released and CVE assigned