You are here
Home > Preporuke > Ranjivost Drupal CMS-a

Ranjivost Drupal CMS-a

  • Detalji os-a: MAC, LDE, FED, FBS, LGE, HPU, LRH, LSU, LUB, W03, W08, WN7, VIS
  • Važnost: URG
  • Operativni sustavi: O
  • Kategorije: APL, LDE, LFE, FBS, LGE, HPQ, LRH, LSU, ALL, LUB, W10, W03, W08, W12, WN7, WN8, VIS

View online:

* Advisory ID: DRUPAL-PSA-CONTRIB-2015-001
* Project: Drupal core [1]
* Version: 6.x, 7.x, 8.x
* Date: 2015-December-02
* Security risk: 17/25 ( Critical)
AC:Basic/A:None/CI:Some/II:Some/E:Exploit/TD:Uncommon [2]
* Vulnerability: Multiple vulnerabilities


When a Drupal installation is not completed past the database configuration
phase and install.php is left accessible via the internet, any visitor to
install.php may complete the installation with a remote database of their

Such a malicious user may use the remote database to execute code on the

The above also applies to sites that react to certain hostnames with an
installation page and have a sites folder owned or writable by the webserver.
Such inadvertent multisites may occur when no default settings.php is present
and directory permissions are misconfigured.

These vulnerabilities are mitigated by setting directory and/or file
permissions that prevent the webserver from writing to the sites/default/ and
sites/ directories.


* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./


Drupal 6 core, Drupal 7 core and Drupal 8 core.


Always complete installations fully on servers exposed to the internet.
Ensure that the webserver does not own the sites folder and cannot write to
the sites folder.

Consider removing install.php after installation.

Consider installing and automating the execution of Security review [4] which
will identify weak file permissions and ownership.

Also see the Drupal core [5] project page.


* Heine Deelstra [6] of the Drupal security team
* Greg Knaddison [7] of the Drupal security team
* Michael Hess [8] of the Drupal security team


The Drupal security team can be reached at security at or via the
contact form at [9].

Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].

Follow the Drupal Security Team on Twitter at [13]


Security-news mailing list
Unsubscribe at

AutorTomislav Protega
Cert idNCERT-REF-2015-12-0011-ADV
ID izvornikaDRUPAL-PSA-CONTRIB-2015-001
More in Preporuke
Sigurnosni nedostaci programskog paketa thunderbird

Otkriveni su sigurnosni nedostaci u programskom paketu thunderbird za operacijski sustav Fedora. Otkriveni nedostaci potencijalnim napadačima omogućuju izvršavanje proizvoljnog programskog...