FreeBSD : drupal -- multiple vulnerabilities (12efc567-9879-11dd-a5e7-0030843d3802)

High Nessus Plugin ID 34389


The remote FreeBSD host is missing one or more security-related updates.


The Drupal Project reports :

A logic error in the core upload module validation allowed unprivileged users to attach files to content. Users can view files attached to content which they do not otherwise have access to. If the core upload module is not enabled, your site will not be affected.

A deficiency in the user module allowed users who had been blocked by access rules to continue logging into the site under certain conditions. If you do not use the 'access rules' functionality in core, your site will not be affected.

The BlogAPI module does not implement correct validation for certain content fields, allowing for values to be set for fields which would otherwise be inaccessible on an internal Drupal form. We have hardened these checks in BlogAPI module for this release, but the security team would like to re-iterate that the 'Administer content with BlogAPI' permission should only be given to trusted users. If the core BlogAPI module is not enabled, your site will not be affected.

A weakness in the node module API allowed for node validation to be bypassed in certain circumstances for contributed modules implementing the API. Additional checks have been added to ensure that validation is performed in all cases. This vulnerability only affects sites using one of a very small number of contributed modules, all of which will continue to work correctly with the improved API. None of them were found vulnerable, so our correction is a preventative measure.


Update the affected packages.

See Also

Plugin Details

Severity: High

ID: 34389

File Name: freebsd_pkg_12efc567987911dda5e70030843d3802.nasl

Version: $Revision: 1.12 $

Type: local

Published: 2008/10/13

Modified: 2013/06/21

Dependencies: 12634

Risk Information

Risk Factor: High


Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:drupal5, p-cpe:/a:freebsd:freebsd:drupal6, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2008/10/12

Vulnerability Publication Date: 2008/10/08

Exploitable With

Core Impact

Reference Information

CVE: CVE-2008-4791, CVE-2008-4792, CVE-2008-4793

Secunia: 32198, 32200, 32201

CWE: 264