Date: 
Wednesday, Mar 28th, 2018
Advisory ID: 
BACKDROP-SA-CORE-2018-002
Security risk: 
Highly Critical
Vulnerability: 
Remote Code Execution
Versions affected: 
  • Backdrop Core 1.x.x versions prior to 1.9.3
Description: 

A remote code execution vulnerability exists within multiple subsystems of Backdrop 1.x. This potentially allows attackers to exploit multiple attack vectors on a Backdrop site, which could result in the site being completely compromised.  

This is a Highly Critical security advisory, which means:

  • How difficult is it for an attacker to leverage the vulnerability? Not difficult (attacker visits page).
  • What privilege level is required for an exploit to be successful? None (all users / anonymous users could be attackers).
  • Does this vulnerability cause non-public data to be accessible? Yes. All non-public data is accessible.
  • Can this exploit allow system data (or data handled by the system) to be compromised? Yes. All data can be modified or deleted.
  • Does a known exploit exist? A theoretical (or white-hat) exploit has been created, but no public exploit code or documentation on development exists, that we know of (we will update this post if that changes.)
  • What percentage of users are affected? Common configurations can make a site exploitable, but a configuration change could disable the exploit.

Please note on the last point that while a configuration change can theoretically mitigate the issue, it would have to be a drastic configuration change. The Security Team strongly recommends that the best solution is for sites to update to 1.9.3. 

Given the nature of the vulnerability, site owners should anticipate that exploits may be developed soon, and should update their sites immediately.

Solution: 

Upgrade your site to the most recent version of Backdrop core.  Download available on the Backdrop CMS 1.9.3 release page.  See the update instructions, if needed.

  • If you are running 1.9.x, upgrade to Backdrop  1.9.3. (If you are unable to update immediately, you may apply the patch to fix the vulnerability until such time as you are able to completely update.)

While Backdrop 1.8.x and 1.7.x are no longer supported, and we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we are providing 1.8 and 1.7 releases that include the fix. 

Please note: If you choose to remain on 1.8 or 1.7, your site's update report page will continue to recommend the latest 1.9 release. We strongly recommend that you take the time to update to 1.9 after installing this security update.  

 

Reported By: 
Fixed By: 
Coordinated By: 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  1. Log in to backdropcms.org
  2. Edit your profile
  3. Switch to the "Subscriptions" tab
  4. Check the box labeled "Security updates"
  5. Save the form