Advisory ID: 
BACKDROP-SA-CORE-2015-002
Vulnerability: 
Multiple vulnerabilities
Versions affected: 
  • Backdrop Core 1.0.x versions prior to 1.0.5
Description: 

Access bypass (Password reset URLs)

Password reset URLs can be forged under certain circumstances, allowing an attacker to gain access to another user's account without knowing the account's password. This vulnerability is mitigated by it only being exploitable on sites where accounts have been imported or programmatically edited in a way that results in the password hash in the database being the same for multiple user accounts. Sites that have empty password hashes and empty user login entries in the database are especially prone to this vulnerability.

Open redirect (Several vectors including the "destination" URL parameter)

Backdrop core and contributed modules frequently use a "destination" query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks. In addition, several URL-related API functions can be tricked into passing through external URLs when not intending to, potentially leading to additional open redirect vulnerabilities. This vulnerability is mitigated by the fact that many common uses of the "destination" parameter are not susceptible to the attack. However, all confirmation forms built using Form API are vulnerable via the Cancel action that appears at the bottom of the form.

Solution: 

Upgrade your site to the latest version of Backdrop CMS. Download available from the Backdrop CMS releases page. Update instructions are available at https://backdropcms.org/upgrade#minor-updates.

Reported By: 

Access bypass via password reset URLs:

Open redirect via vectors including the "destination" URL parameter:

Fixed By: 

Access bypass via password reset URLs:

Open redirect via vectors including the "destination" URL parameter: