The buildDefaults method on DevelopmentAdmin is missing a permission check.
In live mode, if you access /dev/build, you are requested to login first. However, if you access /dev/build/defaults, then the action is performed without any login check. This should be protected in the same way that /dev/build is.
The buildDefaults view is requireDefaultRecords() on each DataObject class, and hence has the potential to modify database state. It also lists all modified tables, allowing attackers more insight into which modules are used, and how the database tables are structured.
CPE | Name | Operator | Version |
---|---|---|---|
silverstripe/framework | le | 3.1.16 | |
silverstripe/framework | lt | 3.3.0 | |
silverstripe/framework | le | 3.2.1 |
github.com/advisories/GHSA-x5w2-wcr8-9q45
github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2015-028-1.yaml
github.com/silverstripe/silverstripe-framework/commit/15d4db3b4a7dbc9a7e089f9329a396f8408ed7d9
github.com/silverstripe/silverstripe-framework/commit/3398f670d881447f8777b567f1ead7c0d8d253f5
github.com/silverstripe/silverstripe-framework/commit/5d2fc0d7cac4ce686f7ae05c1a7b1ad8c01711a8
www.silverstripe.org/download/security-releases/ss-2015-028