Description

The Drupal configuration file has weak file permissions.The file .\sites\default\settings.php is writable by the web server user (usually www-data, apache or nobody).

The Drupal recommended file permissions setting is 755 for folders and 644 for files. This way, the configuration file is only writable by the owner of this file and not by the web server user.

Remediation

Make sure the file permissions are set to only allow the owner to write to it. To do this, connect to the account with SSH (PuTTY/Terminal) and use a command similar to 

chmod 644 sites/default/settings.local.php
chmod 644 sites/default/settings.php

References

Step 3: Create settings.php and the files directory

Related Vulnerabilities

Open Silverlight Client Access Policy

Reverse Proxy Detected

SAP NetWeaver server info information disclosure BCB

GraphQL Unauthenticated Mutation Detected

Apache REST RCE CVE-2018-11770

Severity

Medium

Classification

CWE-16 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Configuration