FreeBSD : drupal -- multiple vulnerabilities (6779e82f-b60b-11da-913d-000ae42e9b93)
High Nessus Plugin ID 21444
SynopsisThe remote FreeBSD host is missing a security-related update.
DescriptionDrupal reports :
Mail header injection vulnerability.
Linefeeds and carriage returns were not being stripped from email headers, raising the possibility of bogus headers being inserted into outgoing email.
This could lead to Drupal sites being used to send unwanted email.
Session fixation vulnerability.
If someone creates a clever enough URL and convinces you to click on it, and you later log in but you do not log off then the attacker may be able to impersonate you.
Some user input sanity checking was missing. This could lead to possible cross-site scripting (XSS) attacks.
XSS can lead to user tracking and theft of accounts and services.
Security bypass in menu.module.
If you use menu.module to create a menu item, the page you point to will be accessible to all, even if it is an admin page.
SolutionUpdate the affected package.