6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.166 Low
EPSS
Percentile
96.1%
Multiple vulnerabilities were discovered in Drupal core.
A bug in the installer code was identified that allows an attacker to re-install Drupal using an external database server under certain transient conditions. This could allow the attacker to execute arbitrary PHP code on the original server.
This vulnerability is mitigated by the fact that the re-installation can only be successful if the site’s settings.php file or sites directories are writeable by or owned by the webserver user. Configuring the Drupal installation to be owned by a different user than the webserver user (and not to be writeable by the webserver user) is a recommended security best practice. However, in all cases the transient conditions expose information to an attacker who accesses install.php, and therefore this security update should be applied to all Drupal 7 sites.
CVE: CVE-2012-4553
For sites using the core OpenID module, an information disclosure vulnerability was identified that allows an attacker to read files on the local filesystem by attempting to log in to the site using a malicious OpenID server.
CVE: CVE-2012-4554
Drupal 6 is not affected.
Install the latest version:
If you are unable to deploy the security release immediately, removing or blocking access to install.php is a sufficient mitigation step for the arbitrary PHP code execution vulnerability.
Also see the Drupal core project page.
drupal.org/contact
drupal.org/node/1815904
drupal.org/node/244924
drupal.org/project/drupal
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/user/124982
drupal.org/user/17943
drupal.org/user/216078
drupal.org/user/22211
drupal.org/user/2305626
drupal.org/user/2317662
drupal.org/user/27985
drupal.org/user/49851
drupal.org/user/56154
drupal.org/user/9446
drupal.org/writing-secure-code