Services - Critical - SQL Injection - SA-CONTRIB-2017-007

Date:

Thursday, Jun 29th, 2017

Advisory ID:

BACKDROP-SA-CONTRIB-2017-007

Security risk:

Critical

Vulnerability:

SQL Injection

Versions affected:

Project: Services (third-party module) versions prior to 1.x-3.0.2-beta

Description:

The module doesn't sufficiently sanitize column names provided by the client when they are querying for data and trying to sort it.

This vulnerability is mitigated by the fact that a site must have an "Index" resource enabled and the attacker must know the endpoint's URL.

Solution:

If you use the Services module for Backdrop CMS 1.x, upgrade to services1.x-3.0.2-beta

Reported By:

Geoff St Pierre of the Backdrop Security Team
John Morahan

Fixed By:

Tyler Frankenstein, a module maintainer
John Morahan

Coordinated By:

Wilmoth Shillingford of the Backdrop Security Team

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

Log in to backdropcms.org
Edit your profile
Switch to the "Subscriptions" tab
Check the box labeled "Security updates"
Save the form

Report security issues responsibly

If you have found a security issue, send an email to security@backdropcms.org. Do not file an issue on GitHub, or otherwise announce the issue publicly.

See more about Backdrop security.

Security Advisories

The list below includes the latest advisories for both Backdrop core and any project in the contributed repository. See the entire list of all advisories.