[SECURITY-L] [security-news em drupal.org: [Security-news] Backup and Migrate - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-004]
CSIRT Unicamp
security em unicamp.br
Qua Jan 24 16:56:42 -02 2018
----- Forwarded message from security-news em drupal.org -----
Date: Wed, 24 Jan 2018 18:42:21 +0000 (UTC)
From: security-news em drupal.org
To: security-news em drupal.org
Subject: [Security-news] Backup and Migrate - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-004
View online: https://www.drupal.org/sa-contrib-2018-004
Project: Backup and Migrate [1]
Date: 2018-January-24
Security risk: *Critical* 15∕25
AC:Basic/A:User/CI:Some/II:All/E:Theoretical/TD:Default [2]
Vulnerability: Arbitrary PHP code execution
Description:
This module enables you to create manual and scheduled backups of a site, and
restore the site from backup.
The module doesn't sufficiently identify that its custom permissions are
risky and should only be granted to highly trusted roles.
Sites using this module should review the permissions page to verify only
trusted users are granted permissions defined by the module.
Solution:
Install the latest version:
* If you use the Backup and Migrate module for Drupal 7.x, upgrade
toBackup
and Migrate 7.x-3.4 [3].
Reported By:
* John Bickar [4]
* Cash Williams [5] of the Drupal Security Team.
Fixed By:
* Damien McKenna [6] the module maintainer.
* Daniel Pickering [7] the module maintainer.
* Pere Orga [8] of the Drupal Security Team.
Coordinated By:
* Damien McKenna [9] of the Drupal Security Team.
[1] https://www.drupal.org/project/backup_migrate
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/backup_migrate/releases/7.x-3.4
[4] https://www.drupal.org/u/john-bickar
[5] https://www.drupal.org/u/cashwilliams
[6] https://www.drupal.org/u/damienmckenna
[7] https://www.drupal.org/u/ikit-claw
[8] https://www.drupal.org/u/pere-orga
[9] https://www.drupal.org/u/damienmckenna
_______________________________________________
Security-news mailing list
Security-news em drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
----- End forwarded message -----
Mais detalhes sobre a lista de discussão SECURITY-L