CVE-2006-2831

NameCVE-2006-2831
DescriptionDrupal 4.6.x before 4.6.8 and 4.7.x before 4.7.2, when running under certain Apache configurations such as when FileInfo overrides are disabled within .htaccess, allows remote attackers to execute arbitrary code by uploading a file with multiple extensions, a variant of CVE-2006-2743.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDSA-1125
NVD severityhigh (attack range: remote)
Debian/oldoldstablenot known to be vulnerable.
Debian/oldstablenot known to be vulnerable.
Debian/stablenot known to be vulnerable.
Debian/testingnot known to be vulnerable.
Debian/unstablenot known to be vulnerable.

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
drupalsource(unstable)4.5.8-1.1medium
drupalsourcesarge4.5.3-6.1sarge1highDSA-1125

Notes

Although not in the changelog, sesse@ (responsible for 4.5.8-1.1)
says he pulled in the entire patch for DRUPAL-SA-2006-007, which
fixes CVE-2006-2831.

Search for package or bug name: Reporting problems