5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-26138

GHSA ID

GHSA-7mv4-4xpg-xq44

EPSS Score

0.52242%

CWE

CWE-20

Published

3/26/2022

Updated

2/7/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-26138

CVE-2020-26138: FormField with square brackets in field name skips validation

FileField with array notation skips validation

The FileField class is commonly used for file upload in custom code on a Silverstripe website. This field is designed to be used with a single file upload.

PHP allows for submitting multiple values by adding square brackets to the field name. When this is done to a FileField, it will be coerced into allowing multiple files by using this notation. This is not a supported feature, though nothing is done to prevent this.

In this scenario, validation such as limiting allowed extensions is not applied, and the FileField->saveInto() behaviour is not triggered. If custom controller logic is used to process the file uploads, it might implicitly rely on validation to be provided by the Form system, which is not the case.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-26138

GHSA ID

GHSA-7mv4-4xpg-xq44

EPSS Score

0.52242%

CWE

CWE-20

Published

3/26/2022

Updated

2/7/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
silverstripe/framework	composer	>= 3.0.0, < 4.7.4	4.7.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key points: 1) FileField's saveInto() method isn't designed to handle array-style PHP file uploads, and 2) Form validation skips fields with square bracket notation. The combination allows attackers to submit multiple files through a field designed for single files, bypassing extension validation. The FileField::saveInto method is explicitly mentioned as not being triggered in this scenario, and the Form validation system's failure to handle array-style field names is demonstrated in the example where $data['MyUnsafeField'] remains unvalidated. These components directly relate to the described vulnerability mechanisms.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*il**i*l* wit* *rr*y not*tion skips v*li**tion T** *il**i*l* *l*ss is *ommonly us** *or *il* uplo** in *ustom *o** on * Silv*rstrip* w**sit*. T*is *i*l* is **si*n** to ** us** wit* * sin*l* *il* uplo**. P*P *llows *or su*mittin* multipl* v*lu*s *y

Reasoning

T** vuln*r**ility st*ms *rom two k*y points: *) `*il**i*l*'s` `s*v*Into()` m*t*o* isn't **si*n** to **n*l* *rr*y-styl* `P*P` *il* uplo**s, *n* *) *orm v*li**tion skips *i*l*s wit* squ*r* *r**k*t not*tion. T** *om*in*tion *llows *tt**k*rs to su*mit mu

5.3

Basic Information

Concerned about an active attack path?

CVE-2020-26138: FormField with square brackets in field name skips validation

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI