Skip to content

Members with no password can be created and bypass custom login forms

Low
maxime-rainville published GHSA-36xx-7vf6-7mv3 Jul 31, 2023

Package

composer silverstripe/framework (Composer)

Affected versions

<4.13.14
>=5.0.0, <5.0.13

Patched versions

4.13.14
5.0.13

Description

When a new Member record was created in the cms it was possible to set a blank password. If an attacker knows the email address of the user with the blank password then they can attempt to log in using an empty password. The default member authenticator, login form and basic auth all require a non-empty password, however if a custom authentication method is used it may allow a successful login with the empty password. Starting with this release, blank passwords are no no longer allowed when members are created in the CMS. Programatically created Member records, such as those used in unit tests, still allow blank passwords. You may have some Member records in your system already which have empty passwords. To detect these, you can loop over all Member records with Member::get() and pass each record into the below method. It might be sensible to create a BuildTask for this purpose.

  private function memberHasBlankPassword(Member $member): bool
  {
      // skip default admin as this is created programatically
      if ($member->isDefaultAdmin()) {
          return false;
      }
      // return true if a blank password is valid for this member
      $authenticator = new MemberAuthenticator();
      return $authenticator->checkPassword($member, '')->isValid();
  }

Once you have identified the records with empty passwords, it's up to you how to handle this. The most sensible way to resolve this is probably to generate a new secure password for each of these members, mark it as immediately expired, and email each affected member (assuming they have a valid email address in the system).

Reported by: Sabina Talipova from Silverstripe and Christian Bünte

Severity

Low

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N

CVE ID

CVE-2023-32302

Weaknesses

No CWEs

Credits