Cache Poisoning Affecting silverstripe/framework package, versions >=4.0.0, <4.4.7 >=4.5.0, <4.5.4 >=3.0.0, <3.7.5

silverstripe/framework is a PHP framework forming the base for the SilverStripe CMS.

Affected versions of this package are vulnerable to Cache Poisoning. Silverstripe CMS sites which have opted into HTTP Cache Headers on responses served by the framework's HTTP layer can be vulnerable to web cache poisoning. Through modifying the X-Original-Url and X-HTTP-Method-Override headers, responses with malicious HTTP headers can return unexpected responses to other consumers of this cached response. Most other headers associated with web cache poisoning are already disabled through request hostname forgery whitelists.

Silverstripe CMS also supports an alternative means to override a request's HTTP method by including a _method parameter in a POST request. This behaves similarly to the X-HTTP-Method-Override headers and is susceptible to the same vulnerability.

The impact of this vulnerability depends on how you are using request data. The risk potential increases when your site allows user contributed content (such as comments or wiki-style pages).

In addition to public cache headers such as Cache-Control: max-age=<age>, there needs to be an intermediary HTTP cache between the website user and the server. This role is often filled by Content Delivery Networks (CDNs) and system components such as Varnish, but can also appear in the user's own network path (corporate proxies).

• Security Advisory