Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

We've moved the forum!

Please use for any new questions (announcement).
The forum archive will stick around, but will be read only.

You can also use our Slack channel or StackOverflow to ask for help.
Check out our community overview for more options to contribute.

CWP Open Developer Discussion /

Techincal discussion of SilverStripe use on the NZ Govt Common Web Platform.

Moderators: camfindlay, Ed, Sigurd, swaiba

CWP Recipe 1.0.7 released

Go to End



Community Member, 63 Posts

31 March 2015 at 3:43pm

Kia ora,

Version 1.0.7 of the CWP Basic Recipe has been released on 26th March 2015.

This release includes patches for security vulnerabilities of a high severity in the cms, and resolves an issue with GridField in framework. The GridField issue is a bug that was introduced 1.0.6. It was reported as a bug by an agency, and was preventing them from deleting assets in the normal way. We apologise for the inconvenience this caused.

Agencies should perform this upgrade ASAP. This release only includes updates to the cms and framework modules and not any other recipe modules.

When do you need to perform this upgrade?

Agencies must upgrade prior to 31st May 2015. If an agency has not upgraded by that date, SilverStripe is obliged to perform the upgrade under the terms of the contract. This is a last resort as it will incur cost and creates a risk of functionality breaking.

Information to help manage upgrades is here.

Details of the vulnerabilities

By default user permissions are not validated by the SiteTree::canCreate method, unless overridden by user code or via the configuration system.

This vulnerability will allow users, or unauthenticated guests, to create new SiteTree objects in the database. This vulnerability is present when such users are given CMS access via other means, or if there is another mechanism (such as RestfulServer module) which allows model editing and relies on model-level permission checks.

This vulnerability is restricted to the creation of draft or live pages, and does not allow users to edit, publish, or unpublish existing pages.

Additionally an issue in the rewriting of hashlinks has been resolved, which closes a potential cross site scripting vulnerability. A link to a page containing a hash link could have a querystring containing unsafe code included, and this would be embedded into the content of the page in an unsafe way.

This vulnerability affects all websites.

Further information can be found in the 1.0.7 changelog here.

Is my site vulnerable?

All websites are vulnerable to at least one of the security issues noted.

Technical Upgrade Guide

These fixes will be included in the CWP recipe 1.0.7, but will also be available to users of the SilverStripe framework and cms 3.1.12.

A description for technical staff on how to carry out an upgrade is found here.

Kind regards,

CWP Team