drupal -- multiple vulnerabilities

2006-05-18T00:00:00
ID 40A0185F-EC32-11DA-BE02-000C6EC775D9
Type freebsd
Reporter FreeBSD
Modified 2006-05-18T00:00:00

Description

The Drupal team reports:

Vulnerability: SQL injection A security vulnerability in the database layer allowed certain queries to be submitted to the database without going through Drupal's query sanitizer.

Vulnerability: Execution of arbitrary files Certain -- alas, typical -- configurations of Apache allows execution of carefully named arbitrary scripts in the files directory. Drupal now will attempt to automatically create a .htaccess file in your "files" directory to protect you.