SA-2007-025 – Drupal core – Arbitrary code execution via installer.

  • Advisory ID: DRUPAL-SA-2007-025
  • Project: Drupal core
  • Version: 5.x
  • Date: 2007-October-17
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Arbitrary code execution

Description

The Drupal installer allows any visitor to provide credentials for a database when the site’s own database is not reachable. This allows attackers to run arbitrary code on the site’s server.

An immediate workaround is the removal of the file install.php in the Drupal root directory.

Versions affected

  • Drupal 5.x before Drupal 5.3

Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.3.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Reported by

Mark Fallon
Wolfgang Ziegler

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: 

Leave a Reply