Date: 
Wednesday, Apr 20th, 2016
Advisory ID: 
BACKDROP-SA-CORE-2016-002
Vulnerability: 
Access bypass
Versions affected: 
  • Backdrop Core 1.x.x versions prior to 1.3.5
Description: 

Backdrop CMS doesn't sufficiently check permissions to access editor dialogs or check the access to upload images within those editor dialogs. This may allow anonymous users to upload temporary images to the server. These files are temporary and will be automatically deleted by the server after 6 hours, mitigating the possibility of the server becoming filled with temporary files.

This release also includes an informational fix to a security-related warning on the status report. Backdrop CMS was not correctly checking if the "update free access" setting was disabled when reporting site status to administrators. This does not indicate a vulnerability; the status report is now fixed to show the warning if needed.

Solution: 

Upgrade your site to the latest version of Backdrop CMS. Download available at Backdrop CMS 1.3.5 release page. Update instructions are available at https://backdropcms.org/upgrade#from-previous-versions.

Reported By: 

Editor Access Bypass:

Settings.php Update Free Access Check:

Fixed By: 

Editor Access Bypass:

  • Nate Haug of the Backdrop CMS Security Team

Settings.php Update Access Check:

  • JF provisional member of the Backdrop CMS Security Team
  • Jen Lampton of the Backdrop CMS Security Team

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  1. Log in to backdropcms.org
  2. Edit your profile
  3. Switch to the "Subscriptions" tab
  4. Check the box labeled "Security updates"
  5. Save the form