[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20090218132220.32360.qmail@securityfocus.com>
Date: 18 Feb 2009 13:22:20 -0000
From: security@...pal.org
To: bugtraq@...urityfocus.com
Subject: Re: LFI in Drupal CMS
Rasool Nasr replied privately with additional details:
- quote
"You must go to the profile folder and create a file with .profile
extension.Then you must copy your shell(such as c99) into created file
for example create shell .profile and then use it with this sample:
http://[sitename]/drupal/install.php?profile=shell"
- unquote
Response:
Installation profiles define which modules should be enabled, and can
customize the installation after they have been installed. This
allows customized "distributions" that enable and configure a set of
modules that work together for a specific kind of site (Drupal for
bloggers, Drupal for musicians, Drupal for developers, and so on).
Just like other Drupal directories, the profiles directory is normally
not writable by the webserver.
The reported "vulnerability" is therefore in the same league as "ZOMG
- IF YOU OVERWRITE INDEX.PHP, TEH CODE IS EXECUTED!!!!""
Regards
Heine Deelstra
--
Drupal security team
Powered by blists - more mailing lists