Package: drupal Version: 4.5.8-1 Severity: grave Tags: security Justification: user security hole
http://drupal.org/node/65409 ------------EXECUTION OF ARBITRARY FILES IN CERTAIN APACHE CONFIGURATIONS------------ * Advisory ID: DRUPAL-SA-2006-006 * Project: Drupal core * Date: 2006-May-24 * Security risk: highly critical * Impact: Drupal core * Exploitable from: remote * Vulnerability: Execution of arbitrary files ------------DESCRIPTION------------ Certain -- alas, typical -- configurations of Apache allows execution of carefully named arbitrary scripts in the files directory. Drupal now will attempt to automatically create a .htaccess file in your "files" directory to protect you. ------------VERSIONS AFFECTED------------ - All Drupal versions before 4.6.7 and also Drupal 4.7.0. ------------SOLUTION------------ If you are running Drupal 4.6.x then upgrade to Drupal 4.6.7. If you are running Drupal 4.7.0 then upgrade to Drupal 4.7.1. Make sure you have a .htaccess in your "files" dir and it contains this line: SetHandler This_is_a_Drupal_security_line_do_not_remove ------------REPORTED BY------------ milw0rm ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or using the form at [http://drupal.org/contact]. -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (500, 'testing'), (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.8-2-686 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages drupal depends on: ii apache-ssl [httpd] 1.3.34-2 versatile, high-performance HTTP s ii apache2-mpm-prefork [httpd] 2.0.55-4 traditional model for Apache2 ii debconf [debconf-2.0] 1.5.0 Debian configuration management sy ii libapache2-mod-php4 4:4.4.2-1 server-side, HTML-embedded scripti ii makepasswd 1.10-3 Generate and encrypt passwords ii mysql-client-5.0 [mysql-clien 5.0.18-7 mysql database client binaries ii php4-cgi 4:4.4.2-1 server-side, HTML-embedded scripti ii php4-cli 4:4.4.2-1 command-line interpreter for the p ii php4-mysql 4:4.4.2-1 MySQL module for php4 ii php4-pgsql 4:4.4.2-1 PostgreSQL module for php4 ii postfix [mail-transport-agent 2.1.5-9 A high-performance mail transport ii postgresql-client 7.5.19 front-end programs for PostgreSQL ii wwwconfig-common 0.0.45 Debian web auto configuration Versions of packages drupal recommends: ii mysql-server-5.0 [mysql-serve 5.0.18-7 mysql database server binaries ii postgresql 7.5.19 object-relational SQL database man -- debconf information: drupal/remove_backups: false drupal/createuser_failed: drupal/db_auto_update: true drupal/dropdb_failed: drupal/upgradedb_impossible: drupal/dbgeneration: false drupal/dbtype: MySQL drupal/database_doremove: false drupal/createdb_failed: drupal/dbserver: localhost drupal/webserver: apache drupal/upgradedb_failed: drupal/dbname: drupal drupal/dbuser: drupal drupal/dbadmin: root drupal/initdb_failed: drupal/conffile_failed: -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]