Description

The Drupal configuration file has weak file permissions.The file .\sites\default\settings.php is writable by the web server user (usually www-data, apache or nobody).

The Drupal recommended file permissions setting is 755 for folders and 644 for files. This way, the configuration file is only writable by the owner of this file and not by the web server user.

Remediation

Make sure the file permissions are set to only allow the owner to write to it. To do this, connect to the account with SSH (PuTTY/Terminal) and use a command similar to

chmod 644 sites/default/settings.local.php
chmod 644 sites/default/settings.php

References

Related Vulnerabilities