[Secure-testing-team] Bug#690817: [drupal7] [Security-news] SA-CORE-2012-003 - Drupal core - Arbitrary PHP code execution and Information disclosure

Ingo Juergensmann ij at 2011.bluespice.org
Wed Oct 17 22:13:08 UTC 2012 

Package: drupal7
Version: 7.14-1
Severity: critical
Tags: security
X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org

--- Please enter the report below this line. ---

Hi!

There is currently a security issue with Drupal 7.14 currently in 
unstable, being shipped with wheezy.

http://drupal.org/node/1815912 is about Arbitrary PHP code execution of 
Drupal core up to 7.16:

   * Advisory ID: DRUPAL-SA-CORE-2012-003
   * Project: Drupal core [1]
   * Version: 7.x
   * Date: 2012-October-17
   * Security risk: Highly critical [2]
   * Exploitable from: Remote
   * Vulnerability: Information Disclosure, Arbitrary PHP code execution

-------- DESCRIPTION
---------------------------------------------------------

Multiple vulnerabilities were discovered in Drupal core.

.... Arbitrary PHP code execution

A bug in the installer code was identified that allows an attacker to
re-install Drupal using an external database server under certain transient
conditions. This could allow the attacker to execute arbitrary PHP code on
the original server.

This vulnerability is mitigated by the fact that the re-installation can 
only
be successful if the site's settings.php file or sites directories are
writeable by or owned by the webserver user. Configuring the Drupal
installation to be owned by a different user than the webserver user 
(and not
to be writeable by the webserver user) is a recommended security best
practice [3]. However, in all cases the transient conditions expose
information to an attacker who accesses install.php, and therefore this
security update should be applied to all Drupal 7 sites.


--- System information. ---
Architecture: amd64
Kernel:       Linux 3.2.0-4-amd64

Debian Release: wheezy/sid
   500 unstable        www.debian-multimedia.org
   500 unstable        ftp.de.debian.org

--- Package information. ---
Depends                    (Version) | Installed
====================================-+-============
debconf                    (>= 0.5)  | 1.5.46
  OR debconf-2.0                      |
apache2                              | 2.2.22-11
  OR httpd                            |
php5                                 | 5.4.4-7
php5-mysql                           | 5.4.4-7
  OR php5-pgsql                       | 5.4.4-7
php5-gd                              | 5.4.4-7
default-mta                          |
  OR mail-transport-agent             |
wwwconfig-common         (>= 0.0.37) | 0.2.2
mysql-client                         | 5.5.24+dfsg-9
  OR virtual-mysql-client             |
  OR postgresql-client                | 9.1+134wheezy1
dbconfig-common                      | 1.8.47+nmu1
curl                                 | 7.27.0-1


Recommends        (Version) | Installed
===========================-+-===========
mysql-server                | 5.5.24+dfsg-9
  OR postgresql              | 9.1+134wheezy1


Package's Suggests field is empty.




-- 
Ciao...            //      Fon: 0381-2744150
       Ingo       \X/       http://blog.windfluechter.net
Please don't share this address with Facebook or Google!
gpg pubkey: http://www.juergensmann.de/ij_public_key.asc

More information about the Secure-testing-team mailing list