View online: https://www.drupal.org/sa-contrib-2018-004
Project: Backup and Migrate [1] Date: 2018-January-24 Security risk: *Critical* 15∕25 AC:Basic/A:User/CI:Some/II:All/E:Theoretical/TD:Default [2] Vulnerability: Arbitrary PHP code execution
Description: This module enables you to create manual and scheduled backups of a site, and restore the site from backup.
The module doesn't sufficiently identify that its custom permissions are risky and should only be granted to highly trusted roles.
Sites using this module should review the permissions page to verify only trusted users are granted permissions defined by the module.
Solution: Install the latest version:
* If you use the Backup and Migrate module for Drupal 7.x, upgrade to Backup and Migrate 7.x-3.4 [3].
Reported By: * John Bickar [4] * Cash Williams [5] of the Drupal Security Team.
Fixed By: * Damien McKenna [6] the module maintainer. * Daniel Pickering [7] the module maintainer. * Pere Orga [8] of the Drupal Security Team.
Coordinated By: * Damien McKenna [9] of the Drupal Security Team.
[1] https://www.drupal.org/project/backup_migrate [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/backup_migrate/releases/7.x-3.4 [4] https://www.drupal.org/u/john-bickar [5] https://www.drupal.org/u/cashwilliams [6] https://www.drupal.org/u/damienmckenna [7] https://www.drupal.org/u/ikit-claw [8] https://www.drupal.org/u/pere-orga [9] https://www.drupal.org/u/damienmckenna