FreeBSD : drupal -- multiple vulnerabilities (12efc567-9879-11dd-a5e7-0030843d3802)

This script is Copyright (C) 2008-2013 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

The Drupal Project reports :

A logic error in the core upload module validation allowed
unprivileged users to attach files to content. Users can view files
attached to content which they do not otherwise have access to. If the
core upload module is not enabled, your site will not be affected.

A deficiency in the user module allowed users who had been blocked by
access rules to continue logging into the site under certain
conditions. If you do not use the 'access rules' functionality in
core, your site will not be affected.

The BlogAPI module does not implement correct validation for certain
content fields, allowing for values to be set for fields which would
otherwise be inaccessible on an internal Drupal form. We have hardened
these checks in BlogAPI module for this release, but the security team
would like to re-iterate that the 'Administer content with BlogAPI'
permission should only be given to trusted users. If the core BlogAPI
module is not enabled, your site will not be affected.

A weakness in the node module API allowed for node validation to be
bypassed in certain circumstances for contributed modules implementing
the API. Additional checks have been added to ensure that validation
is performed in all cases. This vulnerability only affects sites using
one of a very small number of contributed modules, all of which will
continue to work correctly with the improved API. None of them were
found vulnerable, so our correction is a preventative measure.

See also :

http://drupal.org/node/318706
http://www.nessus.org/u?d44aaa38

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
Public Exploit Available : true

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 34389 (freebsd_pkg_12efc567987911dda5e70030843d3802.nasl)

Bugtraq ID:

CVE ID: CVE-2008-4791
CVE-2008-4792
CVE-2008-4793

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now