SA-2006-006 - Drupal Core - Execution of arbitrary files in certain Apache configurations

2006-05-24T00:00:00
ID DRUPAL-SA-2006-006
Type drupal
Reporter Drupal Security Team
Modified 2006-05-24T00:00:00

Description

Certain -- alas, typical -- configurations of Apache allows execution of
carefully named arbitrary scripts in the files directory. Drupal now will
attempt to automatically create a .htaccess file in your "files" directory
to protect you. This line references SA_2006_006 to lead Apache administrators to this announcement.

SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006

Versions affected

- All Drupal versions before 4.6.7 and also Drupal 4.7.0.

Solution

If you are running Drupal 4.6.x then upgrade to Drupal 4.6.7.
If you are running Drupal 4.7.0 then upgrade to Drupal 4.7.1.
To patch Drupal 4.6.6 use the http://drupal.org/files/sa-2006-006/4.6.6.patch.
To patch Drupal 4.7.0 use the http://drupal.org/files/sa-2006-006/4.7.0.patch.

Make sure you have a .htaccess in your "files" dir and it contains this line:

SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006

Reported by

milw0rm