[Security-news] Backup and Migrate - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-004
security-news at drupal.org
security-news at drupal.org
Wed Jan 24 18:42:21 UTC 2018
View online: https://www.drupal.org/sa-contrib-2018-004
Project: Backup and Migrate [1]
Date: 2018-January-24
Security risk: *Critical* 15∕25
AC:Basic/A:User/CI:Some/II:All/E:Theoretical/TD:Default [2]
Vulnerability: Arbitrary PHP code execution
Description:
This module enables you to create manual and scheduled backups of a site, and
restore the site from backup.
The module doesn't sufficiently identify that its custom permissions are
risky and should only be granted to highly trusted roles.
Sites using this module should review the permissions page to verify only
trusted users are granted permissions defined by the module.
Solution:
Install the latest version:
* If you use the Backup and Migrate module for Drupal 7.x, upgrade to
Backup
and Migrate 7.x-3.4 [3].
Reported By:
* John Bickar [4]
* Cash Williams [5] of the Drupal Security Team.
Fixed By:
* Damien McKenna [6] the module maintainer.
* Daniel Pickering [7] the module maintainer.
* Pere Orga [8] of the Drupal Security Team.
Coordinated By:
* Damien McKenna [9] of the Drupal Security Team.
[1] https://www.drupal.org/project/backup_migrate
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/backup_migrate/releases/7.x-3.4
[4] https://www.drupal.org/u/john-bickar
[5] https://www.drupal.org/u/cashwilliams
[6] https://www.drupal.org/u/damienmckenna
[7] https://www.drupal.org/u/ikit-claw
[8] https://www.drupal.org/u/pere-orga
[9] https://www.drupal.org/u/damienmckenna
More information about the Security-news
mailing list