FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

drupal -- multiple vulnerabilities

Affected packages
drupal < 4.6.7


VuXML ID 40a0185f-ec32-11da-be02-000c6ec775d9
Discovery 2006-05-18
Entry 2006-06-05

The Drupal team reports:

Vulnerability: SQL injection

A security vulnerability in the database layer allowed certain queries to be submitted to the database without going through Drupal's query sanitizer.

Vulnerability: Execution of arbitrary files

Certain -- alas, typical -- configurations of Apache allows execution of carefully named arbitrary scripts in the files directory. Drupal now will attempt to automatically create a .htaccess file in your "files" directory to protect you.


CVE Name CVE-2006-2742
CVE Name CVE-2006-2743