Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12966
HistoryJun 03, 2006 - 12:00 a.m.

[DRUPAL-SA-2006-006] Drupal 4.6.7 / 4.7.1 fixes arbitrary file execution issue

2006-06-0300:00:00
vulners.com
12

Drupal security advisory DRUPAL-SA-2006-006

Advisory ID: DRUPAL-SA-2006-006
Project: Drupal core
Date: 2006-05-24
Security risk: highly critical
Impact: Drupal core
Where: from remote
Vulnerability: Execution of arbitrary files

Description

Certain – alas, typical – configurations of Apache allow execution of
carefully named arbitrary scripts in the files directory. Drupal now will
attempt to automatically create a .htaccess file in your "files" directory
to protect you.

Versions affected

All Drupal versions before 4.6.7 and also Drupal 4.7.0.

Solution

If you are running Drupal 4.6.x then upgrade to Drupal 4.6.7.
If you are running Drupal 4.7.0 then upgrade to Drupal 4.7.1.

Make sure you have a .htaccess in your "files" dir and it contains this line:

SetHandler This_is_a_Drupal_security_line_do_not_remove

Contact

The security contact for Drupal can be reached at [email protected]
or using the form at http://drupal.org/contact.
More information is available from http://drupal.org/security or from
our security RSS feed http://drupal.org/security/rss.xml.

// Uwe Hermann, on behalf of the Drupal Security Team.

Uwe Hermann
http://www.hermann-uwe.de
http://www.it-services-uh.de | http://www.crazy-hacks.org
http://www.holsham-traders.de | http://www.unmaintained-free-software.org