Backdrop core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2017-009

Date: 
Aug 16th, 2017
Security risk: 
Moderately Critical
Vulnerabilities: 
  • Cross Site Scripting
  • Access bypass

Access Bypass - Moderately Critical

When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view, however, many widely used contrib modules don't have access restrictions set on the default views they provide. Any view that does not have access controls on the default (master) display may be vulnerable. The vulnerability does not require any authentication to be exploited. A successful exploit results in some non-public data being made public.

Sites running versions of Backdrop prior to 1.x-1.7.2 should update immediately.

It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them.

Cross Site Scripting - Moderately Critical
 
When creating a content type, administrators can define a Human-readable name for the type of content. The system did not filter this administrator-provided text before displaying it to the user on the Manage Displays page, creating a Cross Site Scripting (XSS) vulnerability. 
 
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer content types".
Advisory ID: 
BACKDROP-SA-CORE-2017-009
Versions affected: 
  • Backdrop Core 1.x.x versions prior to 1.7.2

Search404 - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2017-008

Date: 
Jul 26th, 2017
Security risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting

The Search 404 module enables you to redirect 404 pages to a search page on the site for the keywords in the url that was not found.

The module did not filter administrator-provided text before displaying it to the user on the 404 page creating a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer search".

Advisory ID: 
BACKDROP-SA-CONTRIB-2017-008
Versions affected: 
  • Search404 Versions prior to 1.x-1.1.2

Services - Critical - SQL Injection - SA-CONTRIB-2017-007

Date: 
Jun 29th, 2017
Security risk: 
Critical
Vulnerability: 
SQL Injection

The module doesn't sufficiently sanitize column names provided by the client when they are querying for data and trying to sort it.  

This vulnerability is mitigated by the fact that a site must have an "Index" resource enabled and the attacker must know the endpoint's URL.

Advisory ID: 
BACKDROP-SA-CONTRIB-2017-007
Versions affected: 

SMTP - Moderately Critical - Information Disclosure - SA-CONTRIB-2017-006

Date: 
Jun 28th, 2017
Security risk: 
Moderately Critical
Vulnerability: 
Information Disclosure

This SMTP module enables you to send mail using a third party (non-system) mail service instead of the local system mailer included with Backdrop. When this module is in debugging mode, it will log privileged information.

Advisory ID: 
BACKDROP-SA-CONTRIB-2017-006
Versions affected: 

Backdrop core is not affected. If you do not use the contributed SMTP Authentication Support module, there is nothing you need to do.

Backdrop core - Moderately Critical - Access Bypass - SA-CORE-2017-005

Date: 
Jun 21st, 2017
Security risk: 
Moderately Critical
Vulnerability: 
Access bypass

Files uploaded by anonymous users into a private file system can be accessed by other anonymous users - access bypass - Moderately Critical

Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Backdrop core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.

The Drupal security team has also received reports that this vulnerability is being exploited for spam purposes, similar to the scenario discussed in PSA-2016-003 for the public file system.

Advisory ID: 
BACKDROP-SA-CORE-2017-005
Versions affected: 
  • Backdrop Core 1.x.x versions prior to 1.7.1

Backdrop core - Moderately Critical - Access Bypass - SA-CORE-2017-004

Date: 
Mar 15th, 2017
Security risk: 
Moderately Critical
Vulnerability: 
Access bypass

Access bypass via views of taxonomy terms

The Backdrop core module Views allows site builders to create listings of various data in the Backdrop database.

The Views module fails to add the required query tags to listings of Taxonomy Terms, which could cause private data stored on Taxonomy Terms to be leaked to users without permission to view it.

This is mitigated by the fact that a View must exist that lists Taxonomy Terms which contain private data. If all the data on Taxonomy Terms is public or there are no applicable Views, then your site is unaffected.

Access bypass via views bulk operations on user accounts

The Backdrop core user account listing allows administration of user accounts. The bulk operation on this page that allows additional roles to be added to accounts also allowed a user to promote themselves beyond their intended access. 

This is mitigated by the fact that a user must already have permission to view the user account page in order to have access to the bulk operation.

Advisory ID: 
BACKDROP-SA-CORE-2017-004
Versions affected: 
  • Backdrop Core 1.x.x versions prior to 1.6.2

Services - Critical - Arbitrary Code Execution - SA-CONTRIB-2017-003

Date: 
Mar 8th, 2017
Security risk: 
Critical
Vulnerability: 
Arbitrary PHP code execution

This module provides a standardized solution for building API's so that external clients can communicate with Backdrop.

The module accepts user submitted data in PHP's serialization format ("Content-Type: application/vnd.php.serialized") which can lead to arbitrary remote code execution.

This vulnerability is mitigated by the fact that an attacker must know your Service Endpoint's path, and your Service Endpoint must have "application/vnd.php.serialized" enabled as a request parser.

Advisory ID: 
BACKDROP-SA-CONTRIB-2017-003
Versions affected: 
  • Services 1.x versions prior to 1.x-3.0.1-beta

Backdrop core is not affected. If you do not use the contributed Services module, there is nothing you need to do. 

Metatag - Moderately Critical - Information disclosure - SA-CONTRIB-2017-002

Date: 
Mar 8th, 2017
Security risk: 
Moderately Critical
Vulnerability: 
Information Disclosure

This module enables you to add a variety of meta tags to a site for helping with a site's search engine results and to customize how content is shared on social networks.

The module doesn't sufficiently protect against data being cached that might contain information related to a specific user.

This vulnerability is mitigated by the fact that a site must have a page with sensitive data in the page title that varies per logged in user.

Advisory ID: 
BACKDROP-SA-CONTRIB-2017-002
Versions affected: 
  • Metatag 0.x and 1.x versions prior to 1.21.0

Backdrop core is not affected. If you do not use the contributed Metatag module, there is nothing you need to do.

Better Exposed Filters - Less Critical - Cross Site Scripting - SA-CONTRIB-2017-001

Date: 
Mar 4th, 2017
Security risk: 
Less Critical
Vulnerability: 
Cross Site Scripting

The Better Exposed Filters module gives site builders more choices for rendering Views' exposed form elements.

The module does not sufficiently sanitize taxonomy term descriptions when the "Include the term description" option is selected.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer taxonomy".

Advisory ID: 
BACKDROP-SA-CONTRIB-2017-001
Versions affected: 

Backdrop core is not affected. If you do not use the contributed Better Exposed filters module, there is nothing you need to do. 

Backdrop core - Multiple Vulnerabilities - SA-CORE-2016-003

Date: 
Nov 15th, 2016
Vulnerabilities: 
  • Open Redirect
  • Denial of Service
  • Multiple vulnerabilities

Inconsistent name for term access query

Backdrop provides a mechanism to alter database SELECT queries before they are executed. Contributed and custom modules may use this mechanism to restrict access to certain entities by implementing hook_query_alter() or hook_query_TAG_alter() in order to add additional conditions. Queries can be distinguished by means of query tags. As the documentation on EntityFieldQuery::addTag() suggests, access-tags on entity queries normally follow the form ENTITY_TYPE_access (e.g. node_access). However, the taxonomy module's access query tag predated this system and used term_access as the query tag instead of taxonomy_term_access.

As a result, before this security release modules wishing to restrict access to taxonomy terms may have implemented an unsupported tag, or needed to look for both tags (term_access and taxonomy_term_access) in order to be compatible with queries generated both by Backdrop core as well as those generated by contributed modules like Reference. Otherwise information on taxonomy terms might be disclosed to unprivileged users.

Cancel links on entity and confirmation forms allow external URLs to be injected

Under some conditions this would allow the cancel links in some forms to redirect to an external site.

Denial of service via transliterate mechanism

A specially crafted URL can cause a denial of service via the transliterate mechanism.

Advisory ID: 
BACKDROP-SA-CORE-2016-003
Versions affected: 
  • Backdrop Core 1.5.x versions prior to 1.5.2

Pages