CVE-2022-37430 - Silverstripe XSS Vulnerability in `silverstripe/framework` (href Attribute Exploit, Simple Breakdown and Exploit Example)

---

Silverstripe is a popular open source CMS and framework written in PHP. In 2022, a security issue was identified in the Silverstripe core framework (version through 4.11) – tracked as CVE-2022-37430. This post will walk you through what the issue is, how it can be exploited, and how to keep your Silverstripe installation safe.

What is CVE-2022-37430?

In plain language, CVE-2022-37430 is a Cross Site Scripting (XSS) vulnerability in Silverstripe’s framework before version 4.12. This bug is found in how Silverstripe generates HTML anchor tags (<a>) – specifically, when setting the href attribute, user-submitted or external input was not always properly sanitized.

If an attacker can control the href, they might inject malicious JavaScript, causing it to run when another user clicks the crafted link. This can lead to session hijacking, credential theft, or other malicious acts in the context of the affected user.

This vulnerability is issue 2 of 2 mentioned in the public Silverstripe security advisory.

Where is the Vulnerability?

The bug exists in the template rendering layer, typically when developers trust or echo user input into the link href attribute without escaping. Here’s a simplified code snippet illustrating a risky scenario:

// BAD: Directly outputting user input as the href value
$link = $_GET['link']; // User provided
echo "<a href=\"{$link}\">Visit this page</a>";

If a user sends the following as the link parameter

javascript:alert('XSS')

The rendered HTML becomes

<a href="javascript:alert('XSS')">Visit this page</a>

When a victim clicks the link, their browser runs the JavaScript.

`

https://victim-site.com/page?link=javascript:alert('XSS')

Successful XSS:

If the vulnerable code renders the href without sanitizing, clicking the link pops up an alert or runs arbitrary code.

Example Proof of Concept (PoC)

// Vulnerable endpoint: http://site.com/showlink.php?link=javascript:alert('XSS')
$link = $_GET['link'];
echo "<a href=\"{$link}\">Click me!</a>";

When visiting

http://site.com/showlink.php?link=javascript:alert(1)

The browser renders

<a href="javascript:alert(1)">Click me!</a>

Clicking "Click me!" executes the JavaScript.

Why This Happens

The core of this vulnerability is not validating or escaping the href value. Modern browsers will run JavaScript code if it's in an href and the user clicks the link.

Silverstripe’s code did not always enforce validation of URLs, leaving developers and theme authors at risk when echoing external or user-provided values into hrefs.

How To Fix

Upgrade:
This bug is fixed in Silverstripe framework 4.12 and later (release notes here).
You should upgrade immediately.

Sanitize and Validate Input:

If you’re dealing with links from users, always escape or sanitize

$link = $_GET['link'];
$safeLink = htmlspecialchars($link, ENT_QUOTES, 'UTF-8');

// Safer
echo '<a href="' . $safeLink . '">Visit this page</a>';

// Or, even better, only allow safe protocols
if (preg_match('/^(https?|mailto):/i', $link)) {
    echo '<a href="' . $safeLink . '">Safe Link</a>';
}

References

- CVE-2022-37430 on NVD
- Silverstripe Security Advisory
- Silverstripe Framework Release Notes 4.12
- OWASP XSS Prevention Cheat Sheet

Fix is available from version 4.12 – upgrade ASAP and practice safe coding!

*Stay updated. Sanitize inputs. And don’t click suspicious links!*

Timeline

Published on: 11/23/2022 02:15:00 UTC
Last modified on: 11/30/2022 14:18:00 UTC