SA-2007-025 – Drupal core – Arbitrary code execution via installer.

  • Advisory ID: DRUPAL-SA-2007-025
  • Project: Drupal core
  • Version: 5.x
  • Date: 2007-October-17
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Arbitrary code execution


The Drupal installer allows any visitor to provide credentials for a database when the site’s own database is not reachable. This allows attackers to run arbitrary code on the site’s server.

An immediate workaround is the removal of the file install.php in the Drupal root directory.

Versions affected

  • Drupal 5.x before Drupal 5.3


Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.3.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Reported by

Mark Fallon
Wolfgang Ziegler


The security contact for Drupal can be reached at security at or via the form at

Drupal version: 

Leave a Reply