Re: LFI in Drupal CMS

[security () drupal org]

Rasool Nasr replied privately with additional details:

- quote

"You must go to the profile folder and create a file with .profile
extension.Then you must copy your shell(such as c99) into created file
for example create shell .profile and then use it with this sample:

http://[sitename]/drupal/install.php?profile=shell";

- unquote


Response:

Installation profiles define which modules should be enabled, and can
customize the installation after they have been installed. This
allows customized "distributions" that enable and configure a set of
modules that work together for a specific kind of site (Drupal for
bloggers, Drupal for musicians, Drupal for developers, and so on).

Just like other Drupal directories, the profiles directory is normally
not writable by the webserver.

The reported "vulnerability" is therefore in the same league as "ZOMG
- IF YOU OVERWRITE INDEX.PHP, TEH CODE IS EXECUTED!!!!""

Regards

Heine Deelstra

--
Drupal security team