Security Advisories

A remote code execution vulnerability exists within multiple subsystems of Backdrop 1.x. This potentially allows attackers to exploit multiple attack vectors on a Backdrop site, which could result in the site being completely compromised.  

This is a Highly Critical security advisory, which means:

• How difficult is it for an attacker to leverage the vulnerability? Not difficult (attacker visits page).
• What privilege level is required for an exploit to be successful? None (all users / anonymous users could be attackers).
• Does this vulnerability cause non-public data to be accessible? Yes. All non-public data is accessible.
• Can this exploit allow system data (or data handled by the system) to be compromised? Yes. All data can be modified or deleted.
• Does a known exploit exist? A theoretical (or white-hat) exploit has been created, but no public exploit code or documentation on development exists, that we know of (we will update this post if that changes.)
• What percentage of users are affected? Common configurations can make a site exploitable, but a configuration change could disable the exploit.

Please note on the last point that while a configuration change can theoretically mitigate the issue, it would have to be a drastic configuration change. The Security Team strongly recommends that the best solution is for sites to update to 1.9.3. 

Given the nature of the vulnerability, site owners should anticipate that exploits may be developed soon, and should update their sites immediately.

Backdrop core has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site.

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. This vulnerability affects sites using the version of jQuery bundled with Backdrop core (1.12.4), newer versions of jQuery are not affected.

When using Backdrop's private file system, Backdrop will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability.

This vulnerability is mitigated by the fact that it only occurs for unusual site configurations.

JavaScript cross-site scripting prevention is incomplete - Critical

Backdrop has a Backdrop.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML. This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances.

The PHP functions which Backdrop provides for HTML escaping are not affected.

This module enables you to upload files to fields via several sources.

The module doesn't sufficiently handle access control under the scenario of the autocomplete path of reference sources.

The Captcha module enables you to use various techniques to block automated scripts / robots from submitting content to a site, e.g. to block spam comments.

The module doesn't properly store the session ID of visitors who are given a session which could lead to a Denial of Service attack.

This vulnerability is mitigated by the fact that Backdrop does not give a session to all visitors, especially when used with advanced caching systems like Varnish.

Access Bypass - Moderately Critical

When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view, however, many widely used contrib modules don't have access restrictions set on the default views they provide. Any view that does not have access controls on the default (master) display may be vulnerable. The vulnerability does not require any authentication to be exploited. A successful exploit results in some non-public data being made public.

Sites running versions of Backdrop prior to 1.x-1.7.2 should update immediately.

It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them.

The Search 404 module enables you to redirect 404 pages to a search page on the site for the keywords in the url that was not found.

The module did not filter administrator-provided text before displaying it to the user on the 404 page creating a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer search".

The module doesn't sufficiently sanitize column names provided by the client when they are querying for data and trying to sort it.  

This vulnerability is mitigated by the fact that a site must have an "Index" resource enabled and the attacker must know the endpoint's URL.