Make something amazing, for anyone, at DrupalCon. Standard prices end on August 26.
- Advisory ID: DRUPAL-SA-2007-025
- Project: Drupal core
- Version: 5.x
- Date: 2007-October-17
- Security risk: Highly critical
- Exploitable from: Remote
- Vulnerability: Arbitrary code execution
The Drupal installer allows any visitor to provide credentials for a database when the site's own database is not reachable. This allows attackers to run arbitrary code on the site's server.
An immediate workaround is the removal of the file install.php in the Drupal root directory.
- Drupal 5.x before Drupal 5.3
Install the latest version:
- If you are running Drupal 5.x then upgrade to Drupal 5.3.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.
- To patch Drupal 5.2 use SA-2007-025-5.2.patch.
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.