lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20090218132220.32360.qmail@securityfocus.com>
Date: 18 Feb 2009 13:22:20 -0000
From: security@...pal.org
To: bugtraq@...urityfocus.com
Subject: Re: LFI in Drupal CMS

Rasool Nasr replied privately with additional details:

- quote

"You must go to the profile folder and create a file with .profile
extension.Then you must copy your shell(such as c99) into created file
for example create shell .profile and then use it with this sample:

http://[sitename]/drupal/install.php?profile=shell"

- unquote


Response:

Installation profiles define which modules should be enabled, and can
customize the installation after they have been installed. This
allows customized "distributions" that enable and configure a set of
modules that work together for a specific kind of site (Drupal for
bloggers, Drupal for musicians, Drupal for developers, and so on).

Just like other Drupal directories, the profiles directory is normally
not writable by the webserver.

The reported "vulnerability" is therefore in the same league as "ZOMG
- IF YOU OVERWRITE INDEX.PHP, TEH CODE IS EXECUTED!!!!""

Regards

Heine Deelstra

--
Drupal security team

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ