- Detalji os-a: MAC, LDE, FED, FBS, LGE, HPU, LRH, LSU, LUB, W03, W08, WN7, VIS
- Važnost: URG
- Operativni sustavi: O
- Kategorije: APL, LDE, LFE, FBS, LGE, HPQ, LRH, LSU, ALL, LUB, W10, W03, W08, W12, WN7, WN8, VIS
View online: https://www.drupal.org/PSA-2015-001
* Advisory ID: DRUPAL-PSA-CONTRIB-2015-001
* Project: Drupal core 
* Version: 6.x, 7.x, 8.x
* Date: 2015-December-02
* Security risk: 17/25 ( Critical)
* Vulnerability: Multiple vulnerabilities
When a Drupal installation is not completed past the database configuration
phase and install.php is left accessible via the internet, any visitor to
install.php may complete the installation with a remote database of their
Such a malicious user may use the remote database to execute code on the
The above also applies to sites that react to certain hostnames with an
installation page and have a sites folder owned or writable by the webserver.
Such inadvertent multisites may occur when no default settings.php is present
and directory permissions are misconfigured.
These vulnerabilities are mitigated by setting directory and/or file
permissions that prevent the webserver from writing to the sites/default/ and
——– CVE IDENTIFIER(S) ISSUED
* /A CVE identifier  will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
——– VERSIONS AFFECTED
Drupal 6 core, Drupal 7 core and Drupal 8 core.
Always complete installations fully on servers exposed to the internet.
Ensure that the webserver does not own the sites folder and cannot write to
the sites folder.
Consider removing install.php after installation.
Consider installing and automating the execution of Security review  which
will identify weak file permissions and ownership.
Also see the Drupal core  project page.
——– COORDINATED BY
* Heine Deelstra  of the Drupal security team
* Greg Knaddison  of the Drupal security team
* Michael Hess  of the Drupal security team
——– CONTACT AND MORE INFORMATION
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact .
Learn more about the Drupal Security team and their policies , writing
secure code for Drupal , and securing your site .
Follow the Drupal Security Team on Twitter at
Security-news mailing list
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news