Web File Resources Downloadable from the Browser 

Issue date: 17-11-2015
Affects versions: 10.1, 10.0

Issue id: SECURITY-4

 

Affected Product Version(s)

• Hippo CMS 10.0.2-10.0.3, Hippo CMS 10.1.0
• Modules: hst 3.0.0-3.0.1, hst 3.1.0

Severity 

Normal

Description

The initial release of Hippo Web Files exposes a potential vulnerability by allowing all web file resources to be downloadable from the browser, if a user can guess their current access URL. 

Besides typical usage of providing CSS and Javascript resources through web files, which intentially are to be accessable and downloaded from the browser, other resources like Freemarker templates might also be downloaded by the browser as well.

The access URLs for these web file resources however are not easily determinable or guessable by users as it is not possible to 'browse' or URL-navigate web files, and furthermore each web file resource URL also uses a dynamically generated cache ID.

To resolve this potential vulnerability a new required whitelisting configuration has been added to the web files functionality through which explicit access paths must be configured which web file resources will be accessible through the browser. Without such explicit whitelisted access web file resources no longer are accessible remotely.

  

Instructions

The ability to optionally  configure web files resource whitelisting has been released in earlier maintenance release Hippo CMS 10.0.3 and new minor release Hippo CMS 10.1.0, through modules hst-3.0.1 and hst-3.1.0.

The optional whitelisting configuration now has been enforced with new maintenance release tags for hst-3.0.2 and hst-3.1.1.

We strongly advise existing users to upgrade to one of these newer hst modules as soon as possible.

Instructions for configuring the now mandatory whitelisting configuration can be found on the Using Web Files documentation page.

A new maintenance release for Hippo CMS 10.0.4 and Hippo CMS 10.1.1, which will include these updated modules, can be expected in 2 weeks.