You are here

V-052: Drupal Core Access Bypass and Arbitrary PHP Code Execution Vulnerabilities

December 21, 2012 - 12:15am

Addthis

PROBLEM:

Drupal Core Access Bypass and Arbitrary PHP Code Execution Vulnerabilities

PLATFORM:

Drupal 6.x versions prior to 6.27
Drupal 7.x versions prior to 7.18

ABSTRACT:

Drupal Core Multiple vulnerabilities

REFERENCE LINKS:

SA-CORE-2012-004 - Drupal core
Bugtraq ID:  56993 
Secunia Advisory  SA51517
CVE-2012-5651
CVE-2012-5652
CVE-2012-5653

IMPACT ASSESSMENT:

Medium

DISCUSSION:

An attacker can exploit these issues to execute arbitrary PHP code within the context of the web server, bypass certain security restrictions, and perform unauthorized actions; this may aid in launching further attacks.

IMPACT:

Drupal is prone to an arbitrary PHP code-execution and multiple access-bypass vulnerabilities.

SOLUTION:

Install the latest version:

•If you use Drupal 6.x, upgrade to Drupal core 6.27.
•If you use Drupal 7.x, upgrade to Drupal core 7.18.

Addthis