Drupal 7.x < 7.16 Multiple Vulnerabilities

medium Nessus Plugin ID 62678

Synopsis

The remote web server is running a PHP application that is affected by multiple vulnerabilities.

Description

The remote web server is running a version of Drupal that is 7.x prior to 7.16. It is, therefore, potentially affected by multiple vulnerabilities :

- An arbitrary PHP code execution vulnerability exists due to an error in the 'installer.php' script. An attacker, under certain conditions, could use this to re-install Drupal via an external database server, which then could allow the execution of arbitrary PHP code on the original server. This vulnerability is mitigated by the fact that the re-installation can only be successful if the site's 'settings.php' file or directories are writeable by, or owned by, the web server user.
(CVE-2012-4553)

- An information disclosure vulnerability exists for sites using the OpenID module. This could allow an attacker to read files on the local system by attempting to log into the site using a malicious OpenID server.
(CVE-2012-4554)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to version 7.16 or later.

See Also

https://www.drupal.org/node/1815912

Plugin Details

Severity: Medium

ID: 62678

File Name: drupal_7_16.nasl

Version: 1.15

Type: remote

Family: CGI abuses

Published: 10/24/2012

Updated: 4/7/2022

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:drupal:drupal

Required KB Items: www/PHP, Settings/ParanoidReport, installed_sw/Drupal

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/17/2012

Vulnerability Publication Date: 10/17/2012

Reference Information

CVE: CVE-2012-4553, CVE-2012-4554

BID: 56103