SA-2007-025 - Drupal core - Arbitrary code execution via installer.

The Drupal installer allows any visitor to provide credentials for a database when the site's own database is not reachable. This allows attackers to run arbitrary code on the site's server. An immediate workaround is the removal of the file install.php in the Drupal root directory. Versions...