Vulnerabilities > CVE-2015-6661 - Information Exposure vulnerability in Drupal

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
drupal
CWE-200
nessus

Summary

Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to obtain sensitive node titles by reading the menu.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-14444.NASL
    descriptionMaintenance and security release of the Drupal 6 series. This release fixes **security vulnerabilities**. Sites are [urged to upgrade immediately](https://www.drupal.org/node/1494290) after reading the notes below and the security announcement: [Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-003](https://www.drupal.org/SA-CORE-2015-003) No other fixes are included. No changes have been made to the .htaccess, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary. #### Known issues: None. #### Major changes since 6.36: * For security reasons, the autocomplete system now makes Ajax requests to non-clean URLs only, although protection is also in place for custom code that does so using clean URLs. There is a new form API #process function on autocomplete-enabled text fields that is required for the autocomplete functionality to work; custom and contributed modules should ensure that they are not overriding this #process function accidentally when altering text fields on forms. Part of the security fix also includes changes to theme_textfield(); it is recommended that sites which override this theme function make those changes as well (see the theme_textfield section of this diff for details). * When form API token validation fails (for example, when a cross-site request forgery attempt is detected, or a user tries to submit a form after having logged out and back in again in the meantime), the form API now skips calling form element value callbacks, except for a select list of callbacks provided by Drupal core that are known to be safe. In rare cases, this could lead to data loss when a user submits a form and receives a token validation error, but the overall effect is expected to be minor. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-09-08
    plugin id85825
    published2015-09-08
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85825
    titleFedora 22 : drupal6-6.37-1.fc22 (2015-14444)
  • NASL familyCGI abuses
    NASL idDRUPAL_6_37.NASL
    descriptionThe remote web server is running a version of Drupal that is 6.x prior to 6.37. It is, therefore, potentially affected by the following vulnerabilities : - A cross-site scripting vulnerability exists in the autocomplete functionality due to improper validation of input passed via requested URLs. An authenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code. (CVE-2015-6658) - A cross-site request forgery vulnerability exists in the form API due to improper validation of form tokens. An authenticated, remote attacker can exploit this, via a specially crafted link, to upload arbitrary files under another user
    last seen2020-06-01
    modified2020-06-02
    plugin id85652
    published2015-08-26
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85652
    titleDrupal 6.x < 6.37 Multiple Vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-13916.NASL
    descriptionUpdated to 7.39 * [Release notes](https://www.drupal.org/drupal-7.39-release- notes) * [Drupal Core - Critical - Multiple Vulnerabilities - SA- CORE-2015-003](https://www.drupal.org/SA-CORE-2015-003) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-09-08
    plugin id85814
    published2015-09-08
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85814
    titleFedora 22 : drupal7-7.39-1.fc22 (2015-13916)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-14443.NASL
    descriptionMaintenance and security release of the Drupal 6 series. This release fixes **security vulnerabilities**. Sites are [urged to upgrade immediately](https://www.drupal.org/node/1494290) after reading the notes below and the security announcement: [Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-003](https://www.drupal.org/SA-CORE-2015-003) No other fixes are included. No changes have been made to the .htaccess, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary. #### Known issues: None. #### Major changes since 6.36: * For security reasons, the autocomplete system now makes Ajax requests to non-clean URLs only, although protection is also in place for custom code that does so using clean URLs. There is a new form API #process function on autocomplete-enabled text fields that is required for the autocomplete functionality to work; custom and contributed modules should ensure that they are not overriding this #process function accidentally when altering text fields on forms. Part of the security fix also includes changes to theme_textfield(); it is recommended that sites which override this theme function make those changes as well (see the theme_textfield section of this diff for details). * When form API token validation fails (for example, when a cross-site request forgery attempt is detected, or a user tries to submit a form after having logged out and back in again in the meantime), the form API now skips calling form element value callbacks, except for a select list of callbacks provided by Drupal core that are known to be safe. In rare cases, this could lead to data loss when a user submits a form and receives a token validation error, but the overall effect is expected to be minor. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-09-08
    plugin id85824
    published2015-09-08
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85824
    titleFedora 23 : drupal6-6.37-1.fc23 (2015-14443)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-14442.NASL
    descriptionMaintenance and security release of the Drupal 6 series. This release fixes **security vulnerabilities**. Sites are [urged to upgrade immediately](https://www.drupal.org/node/1494290) after reading the notes below and the security announcement: [Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-003](https://www.drupal.org/SA-CORE-2015-003) No other fixes are included. No changes have been made to the .htaccess, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary. #### Known issues: None. #### Major changes since 6.36: * For security reasons, the autocomplete system now makes Ajax requests to non-clean URLs only, although protection is also in place for custom code that does so using clean URLs. There is a new form API #process function on autocomplete-enabled text fields that is required for the autocomplete functionality to work; custom and contributed modules should ensure that they are not overriding this #process function accidentally when altering text fields on forms. Part of the security fix also includes changes to theme_textfield(); it is recommended that sites which override this theme function make those changes as well (see the theme_textfield section of this diff for details). * When form API token validation fails (for example, when a cross-site request forgery attempt is detected, or a user tries to submit a form after having logged out and back in again in the meantime), the form API now skips calling form element value callbacks, except for a select list of callbacks provided by Drupal core that are known to be safe. In rare cases, this could lead to data loss when a user submits a form and receives a token validation error, but the overall effect is expected to be minor. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-09-08
    plugin id85823
    published2015-09-08
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85823
    titleFedora 21 : drupal6-6.37-1.fc21 (2015-14442)
  • NASL familyCGI abuses
    NASL idDRUPAL_7_39.NASL
    descriptionThe remote web server is running a version of Drupal that is 7.x prior to 7.39. It is, therefore, potentially affected by the following vulnerabilities : - A cross-site scripting vulnerability exists in the autocomplete functionality due to improper validation of input passed via requested URLs. An authenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code. (CVE-2015-6658) - A SQL injection vulnerability exists in the SQL comment filtering system due to improper sanitization of user-supplied input before using it in SQL queries. An authenticated, remote attacker can exploit this to inject SQL queries, resulting in the manipulation or disclosure of arbitrary data. (CVE-2015-6659) - A cross-site request forgery vulnerability exists in the form API due to improper validation of form tokens. An authenticated, remote attacker can exploit this, via a specially crafted link, to upload arbitrary files under another user
    last seen2020-04-30
    modified2015-08-26
    plugin id85653
    published2015-08-26
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85653
    titleDrupal 7.x < 7.39 Multiple Vulnerabilities
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3346.NASL
    descriptionSeveral vulnerabilities were discovered in Drupal, a content management framework : - CVE-2015-6658 The form autocomplete functionality did not properly sanitize the requested URL, allowing remote attackers to perform a cross-site scripting attack. - CVE-2015-6659 The SQL comment filtering system could allow a user with elevated permissions to inject malicious code in SQL comments. - CVE-2015-6660 The form API did not perform form token validation early enough, allowing the file upload callbacks to be run with untrusted input. This could allow remote attackers to upload files to the site under another user
    last seen2020-06-01
    modified2020-06-02
    plugin id85726
    published2015-09-02
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85726
    titleDebian DSA-3346-1 : drupal7 - security update
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-13917.NASL
    descriptionUpdated to 7.39 * [Release notes](https://www.drupal.org/drupal-7.39-release- notes) * [Drupal Core - Critical - Multiple Vulnerabilities - SA- CORE-2015-003](https://www.drupal.org/SA-CORE-2015-003) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-09-08
    plugin id85815
    published2015-09-08
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85815
    titleFedora 21 : drupal7-7.39-1.fc21 (2015-13917)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-13915.NASL
    descriptionUpdated to 7.39 * [Release notes](https://www.drupal.org/drupal-7.39-release- notes) * [Drupal Core - Critical - Multiple Vulnerabilities - SA- CORE-2015-003](https://www.drupal.org/SA-CORE-2015-003) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-08-28
    plugin id85674
    published2015-08-28
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85674
    titleFedora 23 : drupal7-7.39-1.fc23 (2015-13915)