Rasool Nasr replied privately with additional details:
- quote "You must go to the profile folder and create a file with .profile extension.Then you must copy your shell(such as c99) into created file for example create shell .profile and then use it with this sample: http://[sitename]/drupal/install.php?profile=shell"; - unquote Response: Installation profiles define which modules should be enabled, and can customize the installation after they have been installed. This allows customized "distributions" that enable and configure a set of modules that work together for a specific kind of site (Drupal for bloggers, Drupal for musicians, Drupal for developers, and so on). Just like other Drupal directories, the profiles directory is normally not writable by the webserver. The reported "vulnerability" is therefore in the same league as "ZOMG - IF YOU OVERWRITE INDEX.PHP, TEH CODE IS EXECUTED!!!!"" Regards Heine Deelstra -- Drupal security team
