FreeBSD : drupal -- multiple vulnerabilities (6779e82f-b60b-11da-913d-000ae42e9b93)

high Nessus Plugin ID 21444

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

Drupal reports :

Mail header injection vulnerability.

Linefeeds and carriage returns were not being stripped from email headers, raising the possibility of bogus headers being inserted into outgoing email.

This could lead to Drupal sites being used to send unwanted email.

Session fixation vulnerability.

If someone creates a clever enough URL and convinces you to click on it, and you later log in but you do not log off then the attacker may be able to impersonate you.

XSS vulnerabilities.

Some user input sanity checking was missing. This could lead to possible cross-site scripting (XSS) attacks.

XSS can lead to user tracking and theft of accounts and services.

Security bypass in menu.module.

If you use menu.module to create a menu item, the page you point to will be accessible to all, even if it is an admin page.

Solution

Update the affected package.

See Also

http://drupal.org/node/53806

http://drupal.org/node/53805

http://drupal.org/node/53803

http://drupal.org/node/53796

http://www.nessus.org/u?3eba90bf

Plugin Details

Severity: High

ID: 21444

File Name: freebsd_pkg_6779e82fb60b11da913d000ae42e9b93.nasl

Version: 1.13

Type: local

Published: 5/13/2006

Updated: 1/6/2021

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:drupal, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 3/17/2006

Vulnerability Publication Date: 3/13/2006