Looking under the hood? Interested in a job? Send a mail....

Silva Security Bulletin: Potential security issue with External Sources

Publication date: 5.February.2008, 11:30

5 February 2008 – We have had a security issue brought to our attention that potentially affects all versions of Silva using the External Sources extension. This might prompt an update if you suspect your site is affected.

The issue

Silva indexes Silva Documents and other content to make it searchable. To this end the full text of a Silva Document (version) is extracted and stored in the catalog, so that searches on words occurring in the document will include the document in the results.

It appears that the fulltext extraction was a tad naive in that it takes the Silva XML and throws away all tags. This is problematic in the case of Code Sources, in which the parameter values appear enclosed in tags such as:

<source id="foo">
  <parameter type="string" key="should_be_hidden_text">
    verboten
  </parameter>
</source>

and in this case a search on ‘verboten’ would return the the document containing this Code Source.

There is probably no cause for panic, as for this to be truly problematic you have to be using the External Sources extension and sensitive data (such as passwords or email addresses) has to be stored as parameter values (i.e. authors would have to fill in that data when editing a document containing the Code Source) and someone would have to do a search for the value or a word in close proximity to the Code Source parameter in either Silva Find or the old search.

Having said that, for those of you that might have sensitive data as parameter values for Code Sources, it is important to update as soon as possible.

The fix

Deploy the relevant version of SilvaDocument to your site, and rebuild the catalog (if you do not know how to do this, contact us, and include your Silva version number). The fix is in SilvaDocument, and is contained in the following releases:

https://infrae.com/download/Silva/2.0.5/Silva-2.0.5-all.tgz
https://infrae.com/download/Silva/1.6.2/Silva-1.6.2-all.tgz
https://infrae.com/download/Silva/1.5.11/Silva-1.5.11-all.tgz

We sincerely apologize for the inconvenience this undoubtedly causes for some of you.

More information

FMI contact Eric Casteleijn, eric at infrae com, +31 10 243 7051.