When a Drupal installation is not completed past the database configuration phase and install.php is left accessible via the internet, any visitor to install.php may complete the installation with a remote database of their selection.

Such a malicious user may use the remote database to execute code on the server.

The above also applies to sites that react to certain hostnames with an installation page and have a sites folder owned or writable by the webserver. Such inadvertent multisites may occur when no default settings.php is present and directory permissions are misconfigured.

These vulnerabilities are mitigated by setting directory and/or file permissions that prevent the webserver from writing to the sites/default/ and sites/ directories.

Versions affected

Drupal 6 core, Drupal 7 core and Drupal 8 core.


Always complete installations fully on servers exposed to the internet. Ensure that the webserver does not own the sites folder and cannot write to the sites folder.

Consider removing install.php after installation.

Consider installing and automating the execution of Security review which will identify weak file permissions and ownership.

Also see the Drupal core project page.

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at or via the contact form at

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at