Security Advisories

A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI.

Some Backdrop code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability.

This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.

.phar added to dangerous extensions list

The .phar file extension has been added to Backdrop's dangerous extensions list, which means that any such file uploaded to a Backdrop file field will automatically be converted to a text file (with the .txt extension) to prevent it from being executed. This is similar to how Backdrop handles file uploads with a .php extension.

Another SA was released today, see also:

• BACKDROP-SA-CORE-2019-001

Backdrop core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Backdrop configurations. Refer to CVE-2018-1000888 for details.

Another SA was released today, see also:

• BACKDROP-SA-CORE-2019-002

Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution

When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.

External URL injection through URL aliases - Moderately Critical - Open Redirect

The path module allows users with the 'administer paths' permission to create pretty URLs for content.

In certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url.

The issue is mitigated by the fact that the user needs the `administer paths` permission to exploit.

Backdrop CMS doesn't sufficiently protect against XSS when allowing administrative users to define custom classes for blocks and regions. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer Layouts".

A remote code execution vulnerability exists within multiple subsystems of Backdrop. This potentially allows attackers to exploit multiple attack vectors on a Backdrop site, which could result in the site being compromised. This vulnerability is related to Backdrop core - Highly Critical - Remote Code Execution - BACKDROP-SA-CORE-2018-002. While BACKDROP-SA-CORE-2018-002 is being exploited in the wild, this vulnerability is not known to be in active exploitation as of this release.

CKEditor, a third-party JavaScript library included in Backdrop core, has fixed a cross-site scripting (XSS) vulnerability. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Backdrop core also uses).

A remote code execution vulnerability exists within multiple subsystems of Backdrop 1.x. This potentially allows attackers to exploit multiple attack vectors on a Backdrop site, which could result in the site being completely compromised.  

This is a Highly Critical security advisory, which means:

• How difficult is it for an attacker to leverage the vulnerability? Not difficult (attacker visits page).
• What privilege level is required for an exploit to be successful? None (all users / anonymous users could be attackers).
• Does this vulnerability cause non-public data to be accessible? Yes. All non-public data is accessible.
• Can this exploit allow system data (or data handled by the system) to be compromised? Yes. All data can be modified or deleted.
• Does a known exploit exist? A theoretical (or white-hat) exploit has been created, but no public exploit code or documentation on development exists, that we know of (we will update this post if that changes.)
• What percentage of users are affected? Common configurations can make a site exploitable, but a configuration change could disable the exploit.

Please note on the last point that while a configuration change can theoretically mitigate the issue, it would have to be a drastic configuration change. The Security Team strongly recommends that the best solution is for sites to update to 1.9.3. 

Given the nature of the vulnerability, site owners should anticipate that exploits may be developed soon, and should update their sites immediately.

Backdrop core has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site.

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. This vulnerability affects sites using the version of jQuery bundled with Backdrop core (1.12.4), newer versions of jQuery are not affected.

When using Backdrop's private file system, Backdrop will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability.

This vulnerability is mitigated by the fact that it only occurs for unusual site configurations.