Craft News

Craft 2.6.2784 Released with New Security Features

May 4, 2016 in Announcements

We just released Craft CMS 2.6.2784, which introduces two new security features that you should know about.

Image MIME Type Verification

Yesterday it became known that a vulnerability in ImageMagick is being actively exploited in the wild. Craft sites that A) are configured to process images with ImageMagick and B) allow untrusted users to upload images are at risk.

At this time the ImageMagick team has not yet produced a patch, but they have offered some guidance on how to mitigate the vulnerability, via MIME type verification. When Craft needs to do some processing on an image, it should be reading a portion of the file to verify it really looks like an image (rather than taking the file extension’s word for it) before passing the file off to ImageMagick for processing. As of this release, Craft is doing exactly that.

Elevated User Sessions

One of the most common ways that sites get hacked is through XSS (“cross-site scripting”) vulnerabilities. The concept is pretty simple: if an attacker can find a way to get a webpage to execute custom JavaScript code, they could use it to make other site visitors perform actions that they didn’t intend to.

We’ve always been proactive about preventing XSS vulnerabilities within Craft’s Control Panel, where we have full control over what gets output, but front-end templates are a different story. Here’s an example: if you have a Plain Text field that is output with the raw filter in your templates, anyone with access to that field could enter some JS code that fires off an Ajax request that tells Craft to make their user account an admin. With that code in place, if an admin ever happens to view a webpage where the value is getting output, the Ajax request will fire and they will have inadvertently made another user an admin—just by visiting a webpage. (Note that the raw filter is necessary here; Twig’s default behavior is to escape all HTML precisely to prevent this sort of attack.)

Unfortunately there’s no way we can completely prevent this from happening, as long as we give developers complete control over the front end code. But we have come up with a way to minimize the risk: elevated user sessions. The way it works is this: all high-target actions within Craft now require an “elevated user session”, meaning that the user must have entered their password in the past 5 minutes (configurable), not counting the time they logged in. This drastically narrows the window when an XSS vulnerability can be exploited.

The following actions now require an elevated user session:

  • Changing a user’s email address
  • Changing your own password
  • Copying a user’s Password Reset URL
  • Assigning new user groups to a user
  • Assigning admin status to a user
  • Assigning new permissions to a user
  • Assigning new permissions to a user group

These are considered high-target actions because they can be used to hijack another user’s account, or escalate a user’s permissions.

In the Control Panel, when you attempt to perform an action that requires an elevated session, Craft will verify that you have one, and if not, it will prompt you for your password to start one.

Escalated User Session Password Prompt

The password prompt that kicks off a new escalated user session.

Requiring Elevated Sessions from a Plugin

We’ve made it easy for plugins to require elevated user sessions. Control Panel templates have the following options to ensure that the user has an elevated session before performing an action:

// Require an elevated session when submitting a form
new Craft.ElevatedSessionForm('#my-form');

// Require an elevated session when submitting a form,
// but only if certain inputs have changed
new Craft.ElevatedSessionForm('#my-form', [

// Require an elevated session immediately

To ensure the user has an elevated session, controllers should call $this->requireElevatedSession() before executing the action.