Drupal Local File Inclusion on Windows Vulnerability - SA-CORE-2009-003

This vulnerability exists on Windows regardless of the type of webserver (Apache IIS) used. The Drupal theme system takes URL arguments into account when selecting a template file to use for page rendering. While doing so it doesnt take into account how Windows arrives at a canonicalized path. This enables malicious users to include files readable by the webserver and located on the same volume as Drupal and to execute PHP contained within those files. For example: If a site has uploads enabled an attacker may upload a file containing PHP code and cause it to be included on a subsequent request by manipulating the URL used to access the site. Vulnerability ID: SA-CORE-2009-003 Official Reference: https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2009-02-25/sa-core-2009-003-local-file