Backdrop core - Multiple vulnerabilities - SA-CORE-2015-003

Date:

Friday, May 6th, 2016

Advisory ID:

BACKDROP-SA-CORE-2015-003

Vulnerabilities:

Information Disclosure
Open Redirect
Multiple vulnerabilities

Versions affected:

Backdrop Core versions prior to 1.1.2

Description:

Open redirect (Field UI module)

The Field UI module uses a "destinations" query string parameter in URLs to redirect users to new destinations after completing an action on a few administration pages. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks. This vulnerability is mitigated by the fact that only sites with the Field UI module enabled are affected.

Information disclosure (Render cache system)

On sites utilizing Backdrop's render cache system to cache content on the site by user role, private content viewed by user 1 may be included in the cache and exposed to non-privileged users. This vulnerability is mitigated by the fact that render caching is not used in Backdrop core itself (it requires custom code to enable) and that it only affects sites that have user 1 browsing the live site. Exposure is also limited if an administrative role has been assigned to the user 1 account (which is done, for example, by the Standard install profile that ships with Backdrop core).

Solution:

Upgrade your site to the latest version of Backdrop CMS. Download available at Backdrop CMS 1.1.2 release page. Update instructions are available at https://backdropcms.org/upgrade#from-previous-versions.

Reported By:

Open redirect in the Field UI module:

Michael Smith

Information disclosure in the render cache system::

Nathaniel Catchpole of the Drupal Security Team

Fixed By:

Open redirect in the Field UI module:

Yves Chedemois, Drupal Field UI module maintainer
Damien McKenna provisional member of the Drupal Security Team
Pere Orga of the Drupal Security Team
David Rothstein of the Drupal Security Team
Klaus Purer of the Drupal Security Team

Information disclosure in the render cache system:

David Rothstein of the Drupal Security Team
Wim Leers
willzyx

Coordinated By:

David Rothstein of the Drupal Security Team
Nate Haug of the Backdrop CMS Security Team

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

Log in to backdropcms.org
Edit your profile
Switch to the "Subscriptions" tab
Check the box labeled "Security updates"
Save the form

Security Advisories

Backdrop core - Multiple vulnerabilities - SA-CORE-2015-003

Open redirect (Field UI module)

Information disclosure (Render cache system)

Security email list

Report security issues responsibly

Security Advisories

Backdrop Core - Moderately critical - Multiple vulnerabilities - BACKDROP-SA-CORE-2024-003

Backdrop core - Critical - Cross Site Scripting - BACKDROP-SA-CORE-2024-002

Two-factor Authentication (TFA) - Critical - Access bypass - BACKDROP-SA-CONTRIB-2024-005

Backdrop core - Moderately critical - Cross Site Scripting - BACKDROP-SA-CORE-2024-001

Nivo Slider - Less Critical - Access bypass - BACKDROP-SA-CONTRIB-2024-004

Google Auth - Moderately Critical - DoS - BACKDROP-SA-CONTRIB-2024-003