Date: 
Wednesday, Feb 11th, 2015
Advisory ID: 
BACKDROP-SA-CORE-2015-001
Vulnerability: 
Multiple vulnerabilities
Versions affected: 
  • Backdrop Core 1.x versions prior to 1.0.2
Description: 

Layout access bypass

The core Layout module incorrectly stores contextual information in a cache that may result in cached contexts being served in the wrong situations. This may result in blocks or layouts that are limited to a specific user role or permission being shown to non-privileged accounts. This vulnerability is mitigated by the fact that an administrator must have configured a layout or block must use contextual access control. By default, all blocks and layouts have no access restrictions.

Views open redirect vulnerability

The core Views UI module does not sanitize user provided URLs when processing the page to break the lock on Views being edited, thereby exposing a phishing attack vector. This vulnerability is mitigated by the fact that the Views UI submodule must be enabled.

Views access bypass vulnerability

The core Views module does not protect the default Views configurations sufficiently, thereby exposing possibly protected information to unprivileged users. This vulnerability is mitigated by the fact that it only affects sites that have not granted the common "access content" or "access comments" permission to untrusted users. Furthermore, these default views configurations are disabled by default and must be enabled by an administrator.

Solution: 

Upgrade your site to the latest version of Backdrop CMS. Download available from the Backdrop CMS releases page. Update instructions are available at https://backdropcms.org/upgrade#minor-updates.

Reported By: 
  • Layout access bypass: Nate Haug of the Backdrop CMS Security Team
  • Views open redirect: Klaus Purer of the Drupal Security Team
  • Views access bypass: Daniel Wehner the Drupal Views module maintainer
Fixed By: 
  • Layout access bypass: Nate Haug of the Backdrop CMS Security Team
  • Views open redirect and access bypass: Daniel Wehner the Drupal Views module maintainer

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  1. Log in to backdropcms.org
  2. Edit your profile
  3. Switch to the "Subscriptions" tab
  4. Check the box labeled "Security updates"
  5. Save the form