FreeBSD : drupal6 -- multiple vulnerabilities (1acf9ec5-877d-11e0-b937-001372fd0af2)

high Nessus Plugin ID 54838

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

Drupal Team reports :

A reflected cross site scripting vulnerability was discovered in Drupal's error handler. Drupal displays PHP errors in the messages area, and a specially crafted URL can cause malicious scripts to be injected into the message. The issue can be mitigated by disabling on-screen error display at admin / settings / error-reporting. This is the recommended setting for production sites.

When using re-colorable themes, color inputs are not sanitized.
Malicious color values can be used to insert arbitrary CSS and script code. Successful exploitation requires the 'Administer themes' permission.

Solution

Update the affected package.

See Also

http://drupal.org/node/1168756

http://www.nessus.org/u?12c55b24

Plugin Details

Severity: High

ID: 54838

File Name: freebsd_pkg_1acf9ec5877d11e0b937001372fd0af2.nasl

Version: 1.7

Type: local

Published: 5/27/2011

Updated: 1/6/2021

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:drupal6, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 5/26/2011

Vulnerability Publication Date: 5/25/2011