View online: https://www.drupal.org/PSA-2015-001

* Advisory ID: DRUPAL-PSA-CONTRIB-2015-001
* Project: Drupal core [1]
* Version: 6.x, 7.x, 8.x
* Date: 2015-December-02
* Security risk: 17/25 ( Critical)
AC:Basic/A:None/CI:Some/II:Some/E:Exploit/TD:Uncommon [2]
* Vulnerability: Multiple vulnerabilities

——– DESCRIPTION
———————————————————

When a Drupal installation is not completed past the database configuration
phase and install.php is left accessible via the internet, any visitor to
install.php may complete the installation with a remote database of their
selection.

Such a malicious user may use the remote database to execute code on the
server.

The above also applies to sites that react to certain hostnames with an
installation page and have a sites folder owned or writable by the webserver.
Such inadvertent multisites may occur when no default settings.php is present
and directory permissions are misconfigured.

These vulnerabilities are mitigated by setting directory and/or file
permissions that prevent the webserver from writing to the sites/default/ and
sites/ directories.

——– CVE IDENTIFIER(S) ISSUED
——————————————–

* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./

——– VERSIONS AFFECTED
—————————————————

Drupal 6 core, Drupal 7 core and Drupal 8 core.

——– SOLUTION
————————————————————

Always complete installations fully on servers exposed to the internet.
Ensure that the webserver does not own the sites folder and cannot write to
the sites folder.

Consider removing install.php after installation.

Consider installing and automating the execution of Security review [4] which
will identify weak file permissions and ownership.

Also see the Drupal core [5] project page.

——– COORDINATED BY
——————————————————

* Heine Deelstra [6] of the Drupal security team
* Greg Knaddison [7] of the Drupal security team
* Michael Hess [8] of the Drupal security team

——– CONTACT AND MORE INFORMATION
—————————————-

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [9].

Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [13]

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/security_review
[5] https://www.drupal.org/project/drupal
[6] https://www.drupal.org/u/heine
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/mlhess
[9] https://www.drupal.org/contact
[10] https://www.drupal.org/security-team
[11] https://www.drupal.org/writing-secure-code
[12] https://www.drupal.org/security/secure-configuration
[13] https://twitter.com/drupalsecurity

_______________________________________________
Security-news mailing list
Security-news@drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news