Security Advisories

Files uploaded by anonymous users into a private file system can be accessed by other anonymous users - access bypass - Moderately Critical

Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Backdrop core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.

The Drupal security team has also received reports that this vulnerability is being exploited for spam purposes, similar to the scenario discussed in PSA-2016-003 for the public file system.

Access bypass via views of taxonomy terms

The Backdrop core module Views allows site builders to create listings of various data in the Backdrop database.

The Views module fails to add the required query tags to listings of Taxonomy Terms, which could cause private data stored on Taxonomy Terms to be leaked to users without permission to view it.

This is mitigated by the fact that a View must exist that lists Taxonomy Terms which contain private data. If all the data on Taxonomy Terms is public or there are no applicable Views, then your site is unaffected.

Access bypass via views bulk operations on user accounts

The Backdrop core user account listing allows administration of user accounts. The bulk operation on this page that allows additional roles to be added to accounts also allowed a user to promote themselves beyond their intended access. 

This is mitigated by the fact that a user must already have permission to view the user account page in order to have access to the bulk operation.

This module provides a standardized solution for building API's so that external clients can communicate with Backdrop.

The module accepts user submitted data in PHP's serialization format ("Content-Type: application/vnd.php.serialized") which can lead to arbitrary remote code execution.

This vulnerability is mitigated by the fact that an attacker must know your Service Endpoint's path, and your Service Endpoint must have "application/vnd.php.serialized" enabled as a request parser.

This module enables you to add a variety of meta tags to a site for helping with a site's search engine results and to customize how content is shared on social networks.

The module doesn't sufficiently protect against data being cached that might contain information related to a specific user.

This vulnerability is mitigated by the fact that a site must have a page with sensitive data in the page title that varies per logged in user.

The Better Exposed Filters module gives site builders more choices for rendering Views' exposed form elements.

The module does not sufficiently sanitize taxonomy term descriptions when the "Include the term description" option is selected.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer taxonomy".

Inconsistent name for term access query

Backdrop provides a mechanism to alter database SELECT queries before they are executed. Contributed and custom modules may use this mechanism to restrict access to certain entities by implementing hook_query_alter() or hook_query_TAG_alter() in order to add additional conditions. Queries can be distinguished by means of query tags. As the documentation on EntityFieldQuery::addTag() suggests, access-tags on entity queries normally follow the form ENTITY_TYPE_access (e.g. node_access). However, the taxonomy module's access query tag predated this system and used term_access as the query tag instead of taxonomy_term_access.

As a result, before this security release modules wishing to restrict access to taxonomy terms may have implemented an unsupported tag, or needed to look for both tags (term_access and taxonomy_term_access) in order to be compatible with queries generated both by Backdrop core as well as those generated by contributed modules like Reference. Otherwise information on taxonomy terms might be disclosed to unprivileged users.

Cancel links on entity and confirmation forms allow external URLs to be injected

Under some conditions this would allow the cancel links in some forms to redirect to an external site.

Denial of service via transliterate mechanism

A specially crafted URL can cause a denial of service via the transliterate mechanism.

Open redirect (Field UI module)

The Field UI module uses a "destinations" query string parameter in URLs to redirect users to new destinations after completing an action on a few administration pages. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks. This vulnerability is mitigated by the fact that only sites with the Field UI module enabled are affected.

Information disclosure (Render cache system)

On sites utilizing Backdrop's render cache system to cache content on the site by user role, private content viewed by user 1 may be included in the cache and exposed to non-privileged users. This vulnerability is mitigated by the fact that render caching is not used in Backdrop core itself (it requires custom code to enable) and that it only affects sites that have user 1 browsing the live site. Exposure is also limited if an administrative role has been assigned to the user 1 account (which is done, for example, by the Standard install profile that ships with Backdrop core).

Backdrop CMS doesn't sufficiently check permissions to access editor dialogs or check the access to upload images within those editor dialogs. This may allow anonymous users to upload temporary images to the server. These files are temporary and will be automatically deleted by the server after 6 hours, mitigating the possibility of the server becoming filled with temporary files.

This release also includes an informational fix to a security-related warning on the status report. Backdrop CMS was not correctly checking if the "update free access" setting was disabled when reporting site status to administrators. This does not indicate a vulnerability; the status report is now fixed to show the warning if needed.

File upload access bypass and denial of service (File module - Moderately Critical)

A vulnerability exists in the File module that allows a malicious user to view, delete or substitute a link to a file that the victim has uploaded to a form while the form has not yet been submitted and processed. If an attacker carries out this attack continuously, all file uploads to a site could be blocked by deleting all temporary files before they can be saved.

This vulnerability is mitigated by the fact that the attacker must have permission to create content or comment and upload files as part of that process.

Open redirect via path manipulation (Base system - Moderately Critical)

The current path can be populated with an external URL. This can lead to Open Redirect vulnerabilities.

This vulnerability is mitigated by the fact that it would only occur in combination with custom code, or in certain cases if a user submits a form shown on a 404 page with a specially crafted URL.

XSS injection in AJAX Framework

A vulnerability was found that allows a malicious user to perform an XSS attack by invoking Backdrop.ajax() on a whitelisted HTML element. This vulnerability is mitigated on sites that do not allow untrusted users to enter HTML.

XSS injection in Autocomplete

A cross-site scripting vulnerability was found in the autocomplete functionality of forms. The requested URL is not sufficiently sanitized. This vulnerability is mitigated by the fact that the malicious user must be allowed to upload files to the site.

SQL Injection

A vulnerability was found in the SQL comment filtering system which could allow a user with elevated permissions to inject malicious code in SQL comments. This vulnerability is mitigated by only be accessible to users with "administer views" permissions.

Value callbacks in Form API might run with untrusted input

A vulnerability was discovered in Backdrop's Form API that could allow file upload value callbacks to run with untrusted input, due to the order form token not being checked early enough. This vulnerability can be mitigated by not allowing untrusted users to upload files.

Information Disclosure of Node Titles in Menu Links

For a site that has removed the "access content" permission from anonymous users, the titles of nodes that are added to the main menu or another menu are still visible to anonymous users. This vulnerability is mitigated by the fact the site administrators must have added one or more nodes to a menu that is visible to anonymous users, and the site must not be using a node access module that would filter the nodes out from content listings for anonymous users.