Miggo Logo

CVE-2020-26138: FormField with square brackets in field name skips validation

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.52242%
Published
3/26/2022
Updated
2/7/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
silverstripe/frameworkcomposer>= 3.0.0, < 4.7.44.7.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key points: 1) FileField's saveInto() method isn't designed to handle array-style PHP file uploads, and 2) Form validation skips fields with square bracket notation. The combination allows attackers to submit multiple files through a field designed for single files, bypassing extension validation. The FileField::saveInto method is explicitly mentioned as not being triggered in this scenario, and the Form validation system's failure to handle array-style field names is demonstrated in the example where $data['MyUnsafeField'] remains unvalidated. These components directly relate to the described vulnerability mechanisms.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*il**i*l* wit* *rr*y not*tion skips v*li**tion T** *il**i*l* *l*ss is *ommonly us** *or *il* uplo** in *ustom *o** on * Silv*rstrip* w**sit*. T*is *i*l* is **si*n** to ** us** wit* * sin*l* *il* uplo**. P*P *llows *or su*mittin* multipl* v*lu*s *y

Reasoning

T** vuln*r**ility st*ms *rom two k*y points: *) `*il**i*l*'s` `s*v*Into()` m*t*o* isn't **si*n** to **n*l* *rr*y-styl* `P*P` *il* uplo**s, *n* *) *orm v*li**tion skips *i*l*s wit* squ*r* *r**k*t not*tion. T** *om*in*tion *llows *tt**k*rs to su*mit mu