Security Advisories

This module enables you to add a variety of meta tags to a site for helping with a site's search engine results and to customize how content is shared on social networks.

The module doesn't sufficiently protect against data being cached that might contain information related to a specific user.

This vulnerability is mitigated by the fact that a site must have a page with sensitive data in the page title that varies per logged in user.

The Better Exposed Filters module gives site builders more choices for rendering Views' exposed form elements.

The module does not sufficiently sanitize taxonomy term descriptions when the "Include the term description" option is selected.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer taxonomy".

Inconsistent name for term access query

Backdrop provides a mechanism to alter database SELECT queries before they are executed. Contributed and custom modules may use this mechanism to restrict access to certain entities by implementing hook_query_alter() or hook_query_TAG_alter() in order to add additional conditions. Queries can be distinguished by means of query tags. As the documentation on EntityFieldQuery::addTag() suggests, access-tags on entity queries normally follow the form ENTITY_TYPE_access (e.g. node_access). However, the taxonomy module's access query tag predated this system and used term_access as the query tag instead of taxonomy_term_access.

As a result, before this security release modules wishing to restrict access to taxonomy terms may have implemented an unsupported tag, or needed to look for both tags (term_access and taxonomy_term_access) in order to be compatible with queries generated both by Backdrop core as well as those generated by contributed modules like Reference. Otherwise information on taxonomy terms might be disclosed to unprivileged users.

Cancel links on entity and confirmation forms allow external URLs to be injected

Under some conditions this would allow the cancel links in some forms to redirect to an external site.

Denial of service via transliterate mechanism

A specially crafted URL can cause a denial of service via the transliterate mechanism.

Open redirect (Field UI module)

The Field UI module uses a "destinations" query string parameter in URLs to redirect users to new destinations after completing an action on a few administration pages. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks. This vulnerability is mitigated by the fact that only sites with the Field UI module enabled are affected.

Information disclosure (Render cache system)

On sites utilizing Backdrop's render cache system to cache content on the site by user role, private content viewed by user 1 may be included in the cache and exposed to non-privileged users. This vulnerability is mitigated by the fact that render caching is not used in Backdrop core itself (it requires custom code to enable) and that it only affects sites that have user 1 browsing the live site. Exposure is also limited if an administrative role has been assigned to the user 1 account (which is done, for example, by the Standard install profile that ships with Backdrop core).

Backdrop CMS doesn't sufficiently check permissions to access editor dialogs or check the access to upload images within those editor dialogs. This may allow anonymous users to upload temporary images to the server. These files are temporary and will be automatically deleted by the server after 6 hours, mitigating the possibility of the server becoming filled with temporary files.

This release also includes an informational fix to a security-related warning on the status report. Backdrop CMS was not correctly checking if the "update free access" setting was disabled when reporting site status to administrators. This does not indicate a vulnerability; the status report is now fixed to show the warning if needed.

File upload access bypass and denial of service (File module - Moderately Critical)

A vulnerability exists in the File module that allows a malicious user to view, delete or substitute a link to a file that the victim has uploaded to a form while the form has not yet been submitted and processed. If an attacker carries out this attack continuously, all file uploads to a site could be blocked by deleting all temporary files before they can be saved.

This vulnerability is mitigated by the fact that the attacker must have permission to create content or comment and upload files as part of that process.

Open redirect via path manipulation (Base system - Moderately Critical)

The current path can be populated with an external URL. This can lead to Open Redirect vulnerabilities.

This vulnerability is mitigated by the fact that it would only occur in combination with custom code, or in certain cases if a user submits a form shown on a 404 page with a specially crafted URL.

XSS injection in AJAX Framework

A vulnerability was found that allows a malicious user to perform an XSS attack by invoking Backdrop.ajax() on a whitelisted HTML element. This vulnerability is mitigated on sites that do not allow untrusted users to enter HTML.

XSS injection in Autocomplete

A cross-site scripting vulnerability was found in the autocomplete functionality of forms. The requested URL is not sufficiently sanitized. This vulnerability is mitigated by the fact that the malicious user must be allowed to upload files to the site.

SQL Injection

A vulnerability was found in the SQL comment filtering system which could allow a user with elevated permissions to inject malicious code in SQL comments. This vulnerability is mitigated by only be accessible to users with "administer views" permissions.

Value callbacks in Form API might run with untrusted input

A vulnerability was discovered in Backdrop's Form API that could allow file upload value callbacks to run with untrusted input, due to the order form token not being checked early enough. This vulnerability can be mitigated by not allowing untrusted users to upload files.

Information Disclosure of Node Titles in Menu Links

For a site that has removed the "access content" permission from anonymous users, the titles of nodes that are added to the main menu or another menu are still visible to anonymous users. This vulnerability is mitigated by the fact the site administrators must have added one or more nodes to a menu that is visible to anonymous users, and the site must not be using a node access module that would filter the nodes out from content listings for anonymous users.

Access bypass (Password reset URLs)

Password reset URLs can be forged under certain circumstances, allowing an attacker to gain access to another user's account without knowing the account's password. This vulnerability is mitigated by it only being exploitable on sites where accounts have been imported or programmatically edited in a way that results in the password hash in the database being the same for multiple user accounts. Sites that have empty password hashes and empty user login entries in the database are especially prone to this vulnerability.

Open redirect (Several vectors including the "destination" URL parameter)

Backdrop core and contributed modules frequently use a "destination" query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks. In addition, several URL-related API functions can be tricked into passing through external URLs when not intending to, potentially leading to additional open redirect vulnerabilities. This vulnerability is mitigated by the fact that many common uses of the "destination" parameter are not susceptible to the attack. However, all confirmation forms built using Form API are vulnerable via the Cancel action that appears at the bottom of the form.

Layout access bypass

The core Layout module incorrectly stores contextual information in a cache that may result in cached contexts being served in the wrong situations. This may result in blocks or layouts that are limited to a specific user role or permission being shown to non-privileged accounts. This vulnerability is mitigated by the fact that an administrator must have configured a layout or block must use contextual access control. By default, all blocks and layouts have no access restrictions.

Views open redirect vulnerability

The core Views UI module does not sanitize user provided URLs when processing the page to break the lock on Views being edited, thereby exposing a phishing attack vector. This vulnerability is mitigated by the fact that the Views UI submodule must be enabled.

Views access bypass vulnerability

The core Views module does not protect the default Views configurations sufficiently, thereby exposing possibly protected information to unprivileged users. This vulnerability is mitigated by the fact that it only affects sites that have not granted the common "access content" or "access comments" permission to untrusted users. Furthermore, these default views configurations are disabled by default and must be enabled by an administrator.

There will be a security release of Backdrop 1.9.x, and 1.8.x on April 25th, 2018 between 16:00 - 18:00 UTC. For all security updates, the Security Team urges you to reserve time for core updates at that time because exploits might be developed within days or even hours. Security release announcements will appear here, on the Backdrop security page.

This security release is a follow-up to the one released as BACKDROP-SA-CORE-2018-002 on March 28.

While Backdrop 1.8.x is no longer supported and we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we are providing a release for 1.8.x that includes the fix for sites which have not yet had a chance to update to 1.9.x. The Backdrop Security Team strongly recommends the following:

• Sites on 1.9.x can immediately update when the advisory is released using the normal procedure.
• Sites on 1.8.x should immediately update to the 1.8.x release that will be provided in the advisory, and then plan to update to the latest 1.9.x security release in the next month (since 1.8.x no longer receives official security coverage).

The security advisory will list the appropriate version numbers for both Backdrop branches. Your site's update report page will recommend the 1.9.x release even if you are on 1.8.x, but temporarily updating to the provided backport for your site's current version will ensure you can update quickly without the possible side effects of a minor version update.

Patches for 1.9.x, and 1.8.x will be provided in addition to the full releases mentioned above. (If your site is on a Backdrop release older than 1.8.0, it no longer receives security coverage and will not receive a security update. Upgrading is strongly recommended as older Backdrop versions may contain other disclosed security vulnerabilities.)

This release will not require a database update.

The Security Team or any other party is not able to release any more information about this vulnerability until the announcement is made. The announcement will be made public at https://www.backdropcms.org/security, over Twitter, and in email for those who have subscribed to the security email list.

To subscribe to the security email list:

• Log in to backdropcms.org
• Edit your profile
• Scroll down to the "Email notifications" section
• Check the box labeled "Receive BackdropCMS.org security announcements for core and contrib projects"