CMSReport.com now running Drupal 4.7.2

Just after upgrading CMS Report from Drupal 4.7.0 to 4.7.1 a couple days ago, Drupal has released 4.7.2. In my mind, the update can be best described as a better fix to the fix. Why did Drupal need to release another security update? The below excerpt from a Drupal Security Advisory gives the reasons why:

Recently, the Drupal security team was informed of a potential exploit that would allow untrusted code to be executed upon a successful request by a malicious user. If a dynamic script with multiple extensions such as file.php.pps or file.sh.txt is uploaded and then accessed from a web browser under certain common Apache configurations, it will cause the script inside to be executed. We deemed this exploit critical and released Drupal 4.6.7 and 4.7.1 six hours after the report was filed. The fix was to create a .htaccess file to remove /all/ dynamic script handlers, such as PHP, from the "files" directory.

After continuous review, however, we've found that the fix will not work in certain Apache configurations, for example those for whom .htaccess FileInfo overrides are disabled. We are thus releasing 4.6.8 and 4.7.2 with a more robust .htaccess fix, as well as a Drupal core solution to the issue which will work under all configurations.

The latest versions of Drupal can be downloaded at Drupal.org.