Lucene search
This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.DRUPAL_7_27.NASLHistoryApr 21, 2014 - 12:00 a.m.
Drupal 7.x < 7.27 Forms API Information Disclosure
2014-04-2100:00:00
This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
9
The remote web server is running a version of Drupal that is 7.x prior to 7.27. It is, therefore, affected by an error related to the HTML form API and the caching of pages for different anonymous users, which could allow sensitive information to be disclosed. Note that Drupal core does not expose any such HTML forms by default.
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(73635);
script_version("1.14");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2014-2983");
script_bugtraq_id(66977);
script_name(english:"Drupal 7.x < 7.27 Forms API Information Disclosure");
script_set_attribute(attribute:"synopsis", value:
"The remote web server is running a PHP application that is affected by
an information disclosure vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote web server is running a version of Drupal that is 7.x prior
to 7.27. It is, therefore, affected by an error related to the HTML
form API and the caching of pages for different anonymous users, which
could allow sensitive information to be disclosed. Note that Drupal
core does not expose any such HTML forms by default.
Note that Nessus has not tested for this issue but has instead relied
only on the application's self-reported version number.");
# https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2014-04-16/sa-core-2014-002-drupal-core
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4ca0aa11");
script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/drupal-7.27-release-notes");
script_set_attribute(attribute:"solution", value:
"Upgrade to version 7.27 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2014/04/16");
script_set_attribute(attribute:"patch_publication_date", value:"2014/04/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/04/21");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:drupal:drupal");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("drupal_detect.nasl");
script_require_keys("www/PHP", "installed_sw/Drupal", "Settings/ParanoidReport");
script_require_ports("Services/www", 80);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");
app = "Drupal";
get_install_count(app_name:app, exit_if_zero:TRUE);
port = get_http_port(default:80, php:TRUE);
install = get_single_install(
app_name : app,
port : port,
exit_if_unknown_ver : TRUE
);
dir = install['path'];
version = install['version'];
url = build_url(qs:dir, port:port);
if (report_paranoia < 2) audit(AUDIT_PARANOID);
fix = '7.27';
if (version =~ "^7\.([0-9]|1[0-9]|2[0-6])($|[^0-9]+)")
{
if (report_verbosity > 0)
{
report =
'\n URL : ' + url +
'\n Installed version : ' + version +
'\n Fixed version : ' + fix +
'\n';
security_warning(port:port, extra:report);
}
else security_warning(port);
exit(0);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url, version);
Related
openvas
openvas
Debian Security Advisory DSA 2913-1 (drupal7 - security update)
2014-04-25 00:00:00
Debian: Security Advisory (DSA-2913-1)
2014-04-24 00:00:00
Debian: Security Advisory (DSA-2914-1)
2014-04-24 00:00:00
nessus
nessus
Debian DSA-2913-1 : drupal7 - security update
2014-04-27 00:00:00
Drupal 6.x < 6.31 Forms API Information Disclosure
2014-04-21 00:00:00
Debian DSA-2914-1 : drupal6 - security update
2014-04-27 00:00:00
osv
osv
drupal6 - security update
2014-04-25 00:00:00
drupal7 - security update
2014-04-25 00:00:00
debian
debian
[SECURITY] [DSA 2914-1] drupal6 security update
2014-04-25 20:18:01
[SECURITY] [DSA 2913-1] drupal7 security update
2014-04-25 20:17:56
[SECURITY] [DSA 2914-1] drupal6 security update
2014-04-25 20:18:01
prion
prion
Input validation
2014-04-23 15:55:00
securityvulns
securityvulns
[SECURITY] [DSA 2914-1] drupal6 security update
2014-05-04 00:00:00
[SECURITY] [DSA 2913-1] drupal7 security update
2014-05-04 00:00:00
[ MDVSA-2015:181 ] drupal
2015-05-12 00:00:00
drupal
drupal
SA-CORE-2014-002 - Drupal core - Information Disclosure
2014-04-16 00:00:00
cve
cve
CVE-2014-2983
2014-04-23 15:55:00
ubuntucve
ubuntucve
CVE-2014-2983
2014-04-23 00:00:00
debiancve
debiancve
CVE-2014-2983
2014-04-23 15:55:00
mageia
mageia
Updated drupal packages fix security vulnerabilities
2014-08-07 21:01:33
Related for DRUPAL_7_27.NASL