Security Advisories

XSS injection in AJAX Framework

A vulnerability was found that allows a malicious user to perform an XSS attack by invoking Backdrop.ajax() on a whitelisted HTML element. This vulnerability is mitigated on sites that do not allow untrusted users to enter HTML.

XSS injection in Autocomplete

A cross-site scripting vulnerability was found in the autocomplete functionality of forms. The requested URL is not sufficiently sanitized. This vulnerability is mitigated by the fact that the malicious user must be allowed to upload files to the site.

SQL Injection

A vulnerability was found in the SQL comment filtering system which could allow a user with elevated permissions to inject malicious code in SQL comments. This vulnerability is mitigated by only be accessible to users with "administer views" permissions.

Value callbacks in Form API might run with untrusted input

A vulnerability was discovered in Backdrop's Form API that could allow file upload value callbacks to run with untrusted input, due to the order form token not being checked early enough. This vulnerability can be mitigated by not allowing untrusted users to upload files.

Information Disclosure of Node Titles in Menu Links

For a site that has removed the "access content" permission from anonymous users, the titles of nodes that are added to the main menu or another menu are still visible to anonymous users. This vulnerability is mitigated by the fact the site administrators must have added one or more nodes to a menu that is visible to anonymous users, and the site must not be using a node access module that would filter the nodes out from content listings for anonymous users.

Access bypass (Password reset URLs)

Password reset URLs can be forged under certain circumstances, allowing an attacker to gain access to another user's account without knowing the account's password. This vulnerability is mitigated by it only being exploitable on sites where accounts have been imported or programmatically edited in a way that results in the password hash in the database being the same for multiple user accounts. Sites that have empty password hashes and empty user login entries in the database are especially prone to this vulnerability.

Open redirect (Several vectors including the "destination" URL parameter)

Backdrop core and contributed modules frequently use a "destination" query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks. In addition, several URL-related API functions can be tricked into passing through external URLs when not intending to, potentially leading to additional open redirect vulnerabilities. This vulnerability is mitigated by the fact that many common uses of the "destination" parameter are not susceptible to the attack. However, all confirmation forms built using Form API are vulnerable via the Cancel action that appears at the bottom of the form.

Layout access bypass

The core Layout module incorrectly stores contextual information in a cache that may result in cached contexts being served in the wrong situations. This may result in blocks or layouts that are limited to a specific user role or permission being shown to non-privileged accounts. This vulnerability is mitigated by the fact that an administrator must have configured a layout or block must use contextual access control. By default, all blocks and layouts have no access restrictions.

Views open redirect vulnerability

The core Views UI module does not sanitize user provided URLs when processing the page to break the lock on Views being edited, thereby exposing a phishing attack vector. This vulnerability is mitigated by the fact that the Views UI submodule must be enabled.

Views access bypass vulnerability

The core Views module does not protect the default Views configurations sufficiently, thereby exposing possibly protected information to unprivileged users. This vulnerability is mitigated by the fact that it only affects sites that have not granted the common "access content" or "access comments" permission to untrusted users. Furthermore, these default views configurations are disabled by default and must be enabled by an administrator.

There will be a security release of Backdrop 1.9.x, and 1.8.x on April 25th, 2018 between 16:00 - 18:00 UTC. For all security updates, the Security Team urges you to reserve time for core updates at that time because exploits might be developed within days or even hours. Security release announcements will appear here, on the Backdrop security page.

This security release is a follow-up to the one released as BACKDROP-SA-CORE-2018-002 on March 28.

While Backdrop 1.8.x is no longer supported and we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we are providing a release for 1.8.x that includes the fix for sites which have not yet had a chance to update to 1.9.x. The Backdrop Security Team strongly recommends the following:

• Sites on 1.9.x can immediately update when the advisory is released using the normal procedure.
• Sites on 1.8.x should immediately update to the 1.8.x release that will be provided in the advisory, and then plan to update to the latest 1.9.x security release in the next month (since 1.8.x no longer receives official security coverage).

The security advisory will list the appropriate version numbers for both Backdrop branches. Your site's update report page will recommend the 1.9.x release even if you are on 1.8.x, but temporarily updating to the provided backport for your site's current version will ensure you can update quickly without the possible side effects of a minor version update.

Patches for 1.9.x, and 1.8.x will be provided in addition to the full releases mentioned above. (If your site is on a Backdrop release older than 1.8.0, it no longer receives security coverage and will not receive a security update. Upgrading is strongly recommended as older Backdrop versions may contain other disclosed security vulnerabilities.)

This release will not require a database update.

The Security Team or any other party is not able to release any more information about this vulnerability until the announcement is made. The announcement will be made public at https://www.backdropcms.org/security, over Twitter, and in email for those who have subscribed to the security email list.

To subscribe to the security email list:

• Log in to backdropcms.org
• Edit your profile
• Scroll down to the "Email notifications" section
• Check the box labeled "Receive BackdropCMS.org security announcements for core and contrib projects"

There will be a security release of Backdrop CMS 1.9.x, 1.8.x, and 1.7.x on March 28th 2018 between 18:00 - 19:30 UTC, that will fix a highly critical security vulnerability. For all security updates, the Security Team urges you to reserve time for core updates at that time because exploits might be developed within days or even hours. Security release announcements will appear here, on the Backdrop security page.

While Backdrop 1.8.x and 1.7.x are no longer supported and we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we are providing 1.8.x and 1.7.x releases that include the fix for sites which have not yet had a chance to update to 1.9.x. The Backdrop security team strongly recommends the following:

• Sites on 1.9.x can immediately update when the advisory is released using the normal procedure.
• Sites on 1.8.x should immediately update to the 1.8.x release that will be provided in the advisory, and then plan to update to the latest 1.9.x security release in the next month (since 1.8.x no longer receives official security coverage).
• Sites on 1.7.x should immediately update to the 1.7.x release that will be provided in the advisory, and then plan to update to the latest 1.9.x security release in the next month (since 1.7.x no longer receives official security coverage).

The security advisory will list the appropriate version numbers for all three Backdrop branches. Your site's update report page will recommend the 1.9.x release even if you are on 1.8.x or 1.7.x, but temporarily updating to the provided backport for your site's current version will ensure you can update quickly without the possible side effects of a minor version update.

This update will not require a database update.

The Security Team or any other party is not able to release any more information about this vulnerability until the announcement is made. The announcement will be made public at https://www.backdropcms.org/security, over Twitter, and in email for those who have subscribed to the security email list.

To subscribe to the security email list:

• Log in to backdropcms.org
• Edit your profile
• Scroll down to the "Email notifications" section
• Check the box labeled "Receive BackdropCMS.org security announcements for core and contrib projects"