Drupal 7 arbitrary PHP code execution and information disclosure
Description
Drupal 7 versions prior to 7.16 contain two critical vulnerabilities. The first is an installer vulnerability that allows attackers to trigger a reinstallation process using an external database server under specific timing conditions, enabling arbitrary PHP code execution on the target server. The second is an information disclosure flaw in the OpenID module that permits attackers to read local filesystem files by authenticating with a specially crafted malicious OpenID server.
Remediation
Immediately upgrade to Drupal 7.16 or later by following these steps:
1. Backup your site
Create a complete backup of your database and files before proceeding.
2. Download and apply the update
Download Drupal core 7.16 from the official Drupal website and follow the standard core update procedure documented at drupal.org.
3. Temporary mitigation (if immediate patching is not possible)
If you cannot deploy the security release immediately, protect against the arbitrary PHP code execution vulnerability by removing or restricting access to install.php. Add the following to your .htaccess file or web server configuration:
<Files "install.php"> Order Deny,Allow Deny from all </Files>
Additionally, disable the OpenID module if it is not required for your site's functionality.
4. Verify the update
After updating, confirm the version at Administration > Reports > Status report shows Drupal 7.16 or higher.