Date: 
Wednesday, Aug 19th, 2015
Advisory ID: 
BACKDROP-SA-CORE-2015-004
Vulnerabilities: 
  • Cross Site Scripting
  • Cross Site Request Forgery
  • SQL Injection
  • Information Disclosure
  • Multiple vulnerabilities
Versions affected: 
  • Backdrop Core 1.x.x versions prior to 1.1.3
Description: 

XSS injection in AJAX Framework

A vulnerability was found that allows a malicious user to perform an XSS attack by invoking Backdrop.ajax() on a whitelisted HTML element. This vulnerability is mitigated on sites that do not allow untrusted users to enter HTML.

XSS injection in Autocomplete

A cross-site scripting vulnerability was found in the autocomplete functionality of forms. The requested URL is not sufficiently sanitized. This vulnerability is mitigated by the fact that the malicious user must be allowed to upload files to the site.

SQL Injection

A vulnerability was found in the SQL comment filtering system which could allow a user with elevated permissions to inject malicious code in SQL comments. This vulnerability is mitigated by only be accessible to users with "administer views" permissions.

Value callbacks in Form API might run with untrusted input

A vulnerability was discovered in Backdrop's Form API that could allow file upload value callbacks to run with untrusted input, due to the order form token not being checked early enough. This vulnerability can be mitigated by not allowing untrusted users to upload files.

Information Disclosure of Node Titles in Menu Links

For a site that has removed the "access content" permission from anonymous users, the titles of nodes that are added to the main menu or another menu are still visible to anonymous users. This vulnerability is mitigated by the fact the site administrators must have added one or more nodes to a menu that is visible to anonymous users, and the site must not be using a node access module that would filter the nodes out from content listings for anonymous users.

Solution: 

Upgrade your site to the latest version of Backdrop CMS. Download available at Backdrop CMS 1.1.3 release page. Update instructions are available at https://backdropcms.org/upgrade#from-previous-versions.

Reported By: 

XSS injection in AJAX Framework:

XSS injection in Autocomplete:

SQL Injection:

Value callbacks in Form API might run with untrusted input:

Information Disclosure of Node Titles in Menu Links:

Fixed By: 

XSS injection in AJAX Framework:

XSS injection in Autocomplete:

SQL Injection:

Value callbacks in Form API might run with untrusted input:

Information Disclosure of Node Titles in Menu Links:

Coordinated By: 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  1. Log in to backdropcms.org
  2. Edit your profile
  3. Switch to the "Subscriptions" tab
  4. Check the box labeled "Security updates"
  5. Save the form