FreeBSD : drupal6 -- multiple vulnerabilities (1acf9ec5-877d-11e0-b937-001372fd0af2)

This script is Copyright (C) 2011-2013 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

Drupal Team reports :

A reflected cross site scripting vulnerability was discovered in
Drupal's error handler. Drupal displays PHP errors in the messages
area, and a specially crafted URL can cause malicious scripts to be
injected into the message. The issue can be mitigated by disabling
on-screen error display at admin / settings / error-reporting. This is
the recommended setting for production sites.

When using re-colorable themes, color inputs are not sanitized.
Malicious color values can be used to insert arbitrary CSS and script
code. Successful exploitation requires the 'Administer themes'
permission.

See also :

http://drupal.org/node/1168756
http://www.nessus.org/u?b6fe89d9

Solution :

Update the affected package.

Risk factor :

High

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 54838 ()

Bugtraq ID:

CVE ID: