Backdrop core - Highly Critical - Remote Code Execution - SA-CORE-2018-002
A remote code execution vulnerability exists within multiple subsystems of Backdrop 1.x. This potentially allows attackers to exploit multiple attack vectors on a Backdrop site, which could result in the site being completely compromised.
This is a Highly Critical security advisory, which means:
- How difficult is it for an attacker to leverage the vulnerability? Not difficult (attacker visits page).
- What privilege level is required for an exploit to be successful? None (all users / anonymous users could be attackers).
- Does this vulnerability cause non-public data to be accessible? Yes. All non-public data is accessible.
- Can this exploit allow system data (or data handled by the system) to be compromised? Yes. All data can be modified or deleted.
- Does a known exploit exist? A theoretical (or white-hat) exploit has been created, but no public exploit code or documentation on development exists, that we know of (we will update this post if that changes.)
- What percentage of users are affected? Common configurations can make a site exploitable, but a configuration change could disable the exploit.
Please note on the last point that while a configuration change can theoretically mitigate the issue, it would have to be a drastic configuration change. The Security Team strongly recommends that the best solution is for sites to update to 1.9.3.
Given the nature of the vulnerability, site owners should anticipate that exploits may be developed soon, and should update their sites immediately.
- Backdrop Core 1.x.x versions prior to 1.9.3