- Advisory ID: DRUPAL-PSA-2015-001 (corrected from DRUPAL-PSA-CONTRIB-2015-001)
- Project: Drupal core
- Version: 6.x, 7.x, 8.x
- Date: 2015-December-02
- Security risk: 17/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Exploit/TD:Uncommon
- Vulnerability: Multiple vulnerabilities
When a Drupal installation is not completed past the database configuration phase and install.php is left accessible via the internet, any visitor to install.php may complete the installation with a remote database of their selection.
Such a malicious user may use the remote database to execute code on the server.
The above also applies to sites that react to certain hostnames with an installation page and have a sites folder owned or writable by the webserver. Such inadvertent multisites may occur when no default settings.php is present and directory permissions are misconfigured.
These vulnerabilities are mitigated by setting directory and/or file permissions that prevent the webserver from writing to the sites/default/ and sites/ directories.
Drupal 6 core, Drupal 7 core and Drupal 8 core.
Always complete installations fully on servers exposed to the internet. Ensure that the webserver does not own the sites folder and cannot write to the sites folder.
Consider removing install.php after installation.
Consider installing and automating the execution of Security review which will identify weak file permissions and ownership.
Also see the Drupal core project page.
- Heine Deelstra of the Drupal security team
- Greg Knaddison of the Drupal security team
- Michael Hess of the Drupal security team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity