Drupal Backup Migrate directory publicly accessible
Description
The Drupal Backup and Migrate module's backup storage directory is accessible without authentication over the internet. This directory typically contains database backups and site archives in compressed formats. The vulnerability was confirmed by successfully retrieving a test file (test.txt) containing the string this file should not be publicly accessible, demonstrating that directory contents can be accessed and downloaded by unauthorized users.
Remediation
Immediately restrict public access to the Backup and Migrate storage directory using one of the following methods:
1. Move backups outside the web root (Recommended):
Configure the Backup and Migrate module to store backups in a directory outside the publicly accessible web root. In Drupal, navigate to Configuration → Backup and Migrate → Settings and set the backup directory to an absolute path such as /var/backups/drupal.
2. Add web server access restrictions:
For Apache, create or update the .htaccess file in the backup directory:
Order Deny,Allow Deny from all
For Nginx, add this location block to your site configuration:
location ~* ^/sites/.*/private/files/backup_migrate/ {
deny all;
return 403;
}3. Verify protection:
After implementing restrictions, attempt to access the test.txt file from an external network to confirm the directory is no longer publicly accessible. Remove any existing backup files from publicly accessible locations and regenerate them in the secured directory.