SA-2008-067

Primary links

Advisory ID: DRUPAL-SA-2008-067
Project: Drupal core
Version: 5.x, 6.x
Date: 2008-October-22
Security risk: Less Critical
Exploitable from: Remote
Vulnerability: File inclusion

On a server configured for IP-based virtual hosts, Drupal may be caused to include and execute specifically named files outside of its root directory.

The official announcement for Drupal 5.x is here.

Considerations for Drupal 4.7

Drupal 4.7 is vulnerable to the same attack and should be patched. The affected function in includes/bootstrap.inc did not change between version 4.7 and 5.x.

SA-2008-067-4.7.patch

Featured Project

The Pulitzer Prizes

The Pulitzer Prizes, awarded annually since 1917, are regarded among the highest honors in U.S. print journalism, literary achievement and musical composition. Openflows recently re-implemented their 15-year-old website.

Full description

Our Clients Are the Bottom Line

One of the key things that makes OCTL different from many other free software/open source consulting groups is that we have no investors. We built the company based on labor and the needs of our clients.

At the end of the day, our decisions are based not on what is in the best interests of shareholders, but on the commitments and relationships we have with the companies and organizations we work with.