Backdrop core - Moderately critical - Information disclosure - SA-CORE-2019-006

Date: 
Mar 14th, 2019
Security risk: 
Moderately Critical
Vulnerability: 
Information Disclosure

The Views module included in Backdrop core doesn't sufficiently build queries when used with exposed filters, leading to a possible information disclosure vulnerability in certain rare circumstances.

This vulnerability is mitigated by the fact that a view must have an exposed filter on a field that is used on multiple entity types, both of which are included in the view.

Additional information

Note: Backdrop issues individual security advisories for separate vulnerabilities included in a release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today for Backdrop core:

Advisory ID: 
BACKDROP-SA-CORE-2019-006
Versions affected: 
  • Backdrop Core 1.x.x versions prior to 1.12.4

Backdrop core - Moderately critical - Information Disclosure - SA-CORE-2019-005

Date: 
Mar 14th, 2019
Security risk: 
Moderately Critical
Vulnerability: 
Information Disclosure

The Views module included in Backdrop core doesn't sufficiently protect against argument definitions failing.

This vulnerability is mitigated by the fact that a view must have custom PHP code used as a field validator.

Additional information

Note: Backdrop issues individual security advisories for separate vulnerabilities included in a release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today for Backdrop core:

Advisory ID: 
BACKDROP-SA-CORE-2019-005
Versions affected: 
  • Backdrop Core 1.x.x versions prior to 1.12.4

EU Cookie Compliance - Critical - Cross site scripting - SA-CONTRIB-2019-004

Date: 
Mar 7th, 2019
Security risk: 
Critical
Vulnerability: 
Cross Site Scripting

This module addresses the General Data Protection Regulation (GDPR) that came into effect 25th May 2018, and the EU Directive on Privacy and Electronic Communications from 2012. It provides a banner where you can gather consent from the user when the website stores cookies on their computer or otherwise handles their personal information.

The module doesn't sufficiently sanitize data for some interface labels and strings shown in the cookie policy banner, opening up possibility of Cross Site Scripting exploits that can be created by somebody that has access to the admin interface of the module.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer EU Cookie Compliance banner".

Advisory ID: 
BACKDROP-SA-CONTRIB-2019-004
Versions affected: 
  • EU Cookie Compliance 1.x-2.x.x versions prior to 2.26.0

Ubercart - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2019-003

Date: 
Mar 7th, 2019
Security risk: 
Moderately Critical
Vulnerability: 
Cross Site Request Forgery

The Ubercart module provides a shopping cart and e-commerce features for Backdrop CMS.

The taxes module doesn't sufficiently protect the tax rate cloning feature. A malicious user could trick a store administrator into duplicating an existing tax rate by getting them to visit a specially-crafted URL.

Advisory ID: 
BACKDROP-SA-CONTRIB-2019-003
Versions affected: 
  • Ubercart 1.x.x versions prior to 1.x-1.0.4-beta

Services - Critical - SQL Injection - SA-CONTRIB-2019-002

Date: 
Mar 1st, 2019
Security risk: 
Critical
Vulnerability: 
SQL Injection

This module provides a standardized solution for building API's so that external clients can communicate with Drupal.

The module doesn't sufficiently sanitize user input for entity index resources thus allowing SQL Injection attacks.

This vulnerability is mitigated by the fact that the Backdrop site must have an "index" resource(s) enabled under the Services endpoint configuration (admin/structure/services/list/MY-ENDPOINT/resources) and an attacker must know the endpoint's machine name.

Install the 1.x-3.0.3-beta version of the Services module for the fix, or simply disable any "index" resources to stop the attack vector.

Advisory ID: 
BACKDROP-SA-CONTRIB-2019-002
Versions affected: 
  • Services 1.x.x versions prior to 1.x-3.0.3-beta

Focal Point - Moderately critical - Cross site scripting - SA-CONTRIB-2019-001

Date: 
Feb 28th, 2019
Security risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting

This module enables a privileged user to specify the important part of an image for the purposes of cropping.

The module doesn't sufficiently sanitize certain form element attributes when the focal point widget is displayed on a form.

This vulnerability is mitigated by the fact that an attacker must have the ability to generate markup (e.g. with a field that accepts "filtered html") AND they must have permission to edit a node or entity whose add/edit form contains the focal point widget.

Advisory ID: 
BACKDROP-SA-CONTRIB-2019-001
Versions affected: 
  • Focal Point 1.x.x versions prior to 1.1.1

Backdrop core - Critical - Remote Code Execution - SA-CORE-2019-003

Date: 
Feb 20th, 2019
Security risk: 
Critical
Vulnerability: 
Remote Code Execution

Link fields do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.

Note: A site is only affected by this if the site has a web services module enabled (like Services module) or exposes another API that allows content creation.

Advisory ID: 
BACKDROP-SA-CORE-2019-003
Versions affected: 
  • Backdrop Core 1.x versions prior to versions 1.12.2 and 1.11.5.

Versions of Backdrop CMS prior to 1.11.x do not receive security coverage.

Backdrop core - Critical - Arbitrary PHP code execution - SA-CORE-2019-002

Date: 
Jan 16th, 2019
Security risk: 
Critical
Vulnerability: 
Arbitrary PHP code execution

A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI.

Some Backdrop code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability.

This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.

.phar added to dangerous extensions list

The .phar file extension has been added to Backdrop's dangerous extensions list, which means that any such file uploaded to a Backdrop file field will automatically be converted to a text file (with the .txt extension) to prevent it from being executed. This is similar to how Backdrop handles file uploads with a .php extension.

Another SA was released today, see also:

Advisory ID: 
BACKDROP-SA-CORE-2019-002
Versions affected: 
  • Backdrop core versions prior to 1.12.1 and 1.11.5

Backdrop core - Critical - Third Party Libraries - SA-CORE-2019-001

Date: 
Jan 16th, 2019
Security risk: 
Critical
Vulnerability: 
Third Party Libraries

Backdrop core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Backdrop configurations. Refer to CVE-2018-1000888 for details.

Another SA was released today, see also:

Advisory ID: 
BACKDROP-SA-CORE-2019-001
Versions affected: 
  • Backdrop core versions prior to 1.12.1 and 1.11.5

Backdrop Core - Critical - Multiple Vulnerabilities - SA-CORE-2018-006

Date: 
Oct 18th, 2018
Security risk: 
Critical
Vulnerabilities: 
  • Remote Code Execution
  • Open Redirect

Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution

When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.

External URL injection through URL aliases - Moderately Critical - Open Redirect

The path module allows users with the 'administer paths' permission to create pretty URLs for content.

In certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url.

The issue is mitigated by the fact that the user needs the `administer paths` permission to exploit.

Advisory ID: 
BACKDROP-SA-CORE-2018-006
Versions affected: 
  • Backdrop Core 1.x.x versions prior to 1.11.2

Pages