Unvalidated access to CSS and JS resources
Issue date: 28-04-2017Affects versions: 11.1, 10.2, 7.9
Security Issue ID
SECURITY-26
Affected Product Version(s)
This vulnerability applies to CMS 7.9.16, CMS 10.2.4, CMS 11.1.1 and earlier versions
Severity
Normal
Description
An unauthenticated user can directly access packaged resources and download them without being redirected to the login screen. For more information, see the behavior of Wicket's SecurePackageResourceGuard class.
This could lead to information disclosure and makes it easier for an attacker to identify other potential vulnerabilities in the application. Resources needed for the login page can be excluded from this authentication requirement by configuring a whitelist available in the console.
Instructions
Hippo has implemented a fix for this vulnerability across all supported versions and has provided new maintenance releases to be able to upgrade and close this vulnerability in your implementation of Hippo.
The solution to this vulnerability requires no changes to the Hippo based projects themselves if no customizations have been made of the CMS login page. Upgrading to the latest Hippo maintenance release CMS 11.1.2, CMS 10.2.5 or CMS 7.9.17 fixes this security issue. When the project does have customizations of the login page please have a look at Configure the CMS Package Resources Whitelist.
Note that the latest CMS 11.2 minor release already incorporated this fix and therefore doesn't require upgrading.