This is the first security post we have to write, in the 5 years since we've been running Backpack. We're trying to be as direct and tr...
This is the first security post we have to write, in the 5 years since we've been running Backpack. We're trying to be as direct and transparent as possible, so here it is:
Because Backpack did not properly sanitize the input inside an
orderByRaw() statement, our
ListOperation technically allowed a malicious actor to run custom SQL statements on the database.
Fortunately, the modern databases that Backpack officially supports (MySQL and PostgreSQL) have protections against this. You can't do nasty stuff in
ORDER BY statements, the DB won't let you. Furthermore, NoSQL systems have nothing to do with this, as we never could do
orderByRaw() inside those. But we know people use Backpack with unsupported DBMSs, because it works, so it is indeed an issue for some apps. That's why we're taking this seriously.
We will not give steps to reproduce here, but if you are a Backpack contributor or license holder, and want to try it out, please send an email to [email protected] and we'll happily give you easy-to-follow steps.
Your database might be in danger if ALL of the conditions below are true:
Again, this is only a problem for projects that use Backpack for something other than an admin panel (ex: user-facing datatables). Furthermore, out of those possibly affected projects, where people you do not trust have access to the table view of your CRUDs, you might still be safe, depending on your database system. We're still analysing different DBMSs and versions, but as of this moment, we consider the possibility of database damage to be:
We're estimating on the safe side here. Technically all SQL systems are running the problematic piece of code, but some DBMSs do a better job than others in preventing these types of attacks.
But. Even if you are not affected by this particular issue, we recommended you run a
composer update anyway, because:
composer updateto get to Laravel 6.20.11+, 7.30.2+, 8.22.1+;
The impact is limited. We could only confirm an IMPORTANT vulnerability when Backpack is used:
We know this means that very few Backpack installations are actually affected. But just to be on the safe side, we decided to write this post to let as many people know as possible.
Let this be a reminder to all of us that important security issues do come up sometimes, even in well-maintained projects like Laravel and Backpack, and it’s a good idea to keep our projects up-to-date. This is a particularly good time to run
composer update, and get the fixes for both Laravel and Backpack, even if you're unaffected by this issue.
We've taken this seriously:
Needless to say… we are very sorry for this incident. It is the first time we’ve ever had a security issue we consider Important (even for a small subset of our customers), in the 5 years since we started Backpack. Of course, that doesn’t make it ok, but we hope that it shows that we take security seriously, we're transparent about it, and we try to protect our customers' projects as much as we can. In this particular case - we failed to do that for a small number of our customers, and we are sorry for that. We absolutely promise to pay even more attention from now on.
To reiterate & rephrase - if you have a project in production that you last updated between July 2020 and Feb 2021, and you do NOT trust the users of your Backpack table views, you should run a
composer update on the project. But even if you don’t care about this security issue, you should probably run a
composer update anyway, just to get the latest secure Laravel version.
Again, we’re deeply sorry for the trouble we might have caused. I hope our quick and decisive reaction to this shows how much we care, and how much we’re invested in keeping your projects secure - even if you’re using Backpack in a way that we do not officially support.
Tip: You can find out your project’s Backpack, Laravel and database version by running
php artisan backpack:versionin the command line.
What do you think about this?
Wondering what our community has been up to?