Home

SA-2006-006 - Drupal Core - Execution of arbitrary files in certain Apache configurations

webchick - May 25, 2006 - 01:19
  • Advisory ID: DRUPAL-SA-2006-006
  • Project: Drupal core
  • Date: 2006-May-24
  • Security risk: highly critical
  • Impact: Drupal core
  • Exploitable from: remote
  • Vulnerability: Execution of arbitrary files

Description

Certain -- alas, typical -- configurations of Apache allows execution of
carefully named arbitrary scripts in the files directory. Drupal now will
attempt to automatically create a .htaccess file in your "files" directory
to protect you.

Versions affected

- All Drupal versions before 4.6.7 and also Drupal 4.7.0.

Solution

If you are running Drupal 4.6.x then upgrade to Drupal 4.6.7.
If you are running Drupal 4.7.0 then upgrade to Drupal 4.7.1.
To patch Drupal 4.6.6 use the http://drupal.org/files/sa-2006-006/4.6.6.patch.
To patch Drupal 4.7.0 use the http://drupal.org/files/sa-2006-006/4.7.0.patch.

Make sure you have a .htaccess in your "files" dir and it contains this line:

SetHandler This_is_a_Drupal_security_line_do_not_remove

Reported by

milw0rm

Contact

The security contact for Drupal can be reached at security at drupal.org or using the form at http://drupal.org/contact.

 
 

Drupal is a registered trademark of Dries Buytaert.