| Scoutnet vzw http://forum.scoutnet.be/ |
|
| [Drupal] Security announcements: Arbitrary code execution http://forum.scoutnet.be/viewtopic.php?f=19&t=1976 |
Pagina 1 van 1 |
| Auteur: | To [ 20 Okt 2007 13:14 ] |
| Titel: | [Drupal] Security announcements: Arbitrary code execution |
------------SA-2007-025 - DRUPAL CORE - ARBITRARY CODE EXECUTION VIA INSTALLER.------------ * Advisory ID: DRUPAL-SA-2007-025 * Project: Drupal core * Version: 5.x * Date: 2007-October-17 * Security risk: Highly critical * Exploitable from: Remote * Vulnerability: Arbitrary code execution ------------DESCRIPTION------------ The Drupal installer allows any visitor to provide credentials for a database when the site's own database is not reachable. This allows attackers to run arbitrary code on the site's server. An immediate workaround is the removal of the file install.php in the Drupal root directory. ------------VERSIONS AFFECTED------------ * Drupal 5.x before Drupal 5.3 ------------SOLUTION------------ Install the latest version: * If you are running Drupal 5.x then upgrade to Drupal 5.3 [ http://ftp.drupal.org/files/projects/drupal-5.3.tar.gz ]. If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. * To patch Drupal 5.2 use SA-2007-025-5.2.patch [ http://drupal.org/files/sa-2007-025/SA- ... -5.2.patch ]. ------------REPORTED BY------------ Mark Fallon Wolfgang Ziegler ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ]. |
|
| Pagina 1 van 1 | Alle tijden zijn UTC + 1 uur |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|