Drupal 7.x < 7.16 Multiple Vulnerabilities

2012-10-24T00:00:00
ID DRUPAL_7_16.NASL
Type nessus
Reporter Tenable
Modified 2018-06-14T00:00:00

Description

The remote web server is running a version of Drupal that is 7.x prior to 7.16. It is, therefore, potentially affected by multiple vulnerabilities :

  • An arbitrary PHP code execution vulnerability exists due to an error in the 'installer.php' script. An attacker, under certain conditions, could use this to re-install Drupal via an external database server, which then could allow the execution of arbitrary PHP code on the original server. This vulnerability is mitigated by the fact that the re-installation can only be successful if the site's 'settings.php' file or directories are writeable by, or owned by, the web server user. (CVE-2012-4553)

  • An information disclosure vulnerability exists for sites using the OpenID module. This could allow an attacker to read files on the local system by attempting to log into the site using a malicious OpenID server. (CVE-2012-4554)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(62678);
  script_version("1.13");
  script_cvs_date("Date: 2018/06/14 12:21:47");

  script_cve_id("CVE-2012-4553", "CVE-2012-4554");
  script_bugtraq_id(56103);

  script_name(english:"Drupal 7.x < 7.16 Multiple Vulnerabilities");
  script_summary(english:"Checks the version of Drupal.");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server is running a PHP application that is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote web server is running a version of Drupal that is 7.x prior
to 7.16. It is, therefore, potentially affected by multiple
vulnerabilities :

  - An arbitrary PHP code execution vulnerability exists due
    to an error in the 'installer.php' script. An attacker,
    under certain conditions, could use this to re-install
    Drupal via an external database server, which then could
    allow the execution of arbitrary PHP code on the
    original server. This vulnerability is mitigated by the
    fact that the re-installation can only be successful if
    the site's 'settings.php' file or directories are
    writeable by, or owned by, the web server user.
    (CVE-2012-4553)

  - An information disclosure vulnerability exists for sites
    using the OpenID module. This could allow an attacker to
    read files on the local system by attempting to log into
    the site using a malicious OpenID server.
    (CVE-2012-4554)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/node/1815912");
  script_set_attribute(attribute:"solution", value:"Upgrade to version 7.16 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2012/10/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/10/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/10/24");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:drupal:drupal");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");

  script_dependencies("drupal_detect.nasl");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP", "installed_sw/Drupal", "Settings/ParanoidReport");
  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

app = "Drupal";
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:80, php:TRUE);

install = get_single_install(
  app_name : app,
  port     : port,
  exit_if_unknown_ver : TRUE
);

dir = install['path'];
version = install['version'];
loc = build_url(qs:dir, port:port);

if (report_paranoia < 2) audit(AUDIT_PARANOID);

# 7.x < 7.16 are affected
if (version =~ "^7\.([0-9]|1[0-5])($|[^0-9]+)")
{
  if (report_verbosity > 0)
  {
    report =
      '\n  URL               : ' + loc +
      '\n  Installed version : ' + version +
      '\n  Fixed version     : 7.16' +
      '\n';
    security_warning(port:port, extra:report);
  }
  else security_warning(port);
  exit(0);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, loc, version);