* Advisory ID: DRUPAL-SA-CONTRIB-2010-067 * Project: Views (third-party module) * Version: 5.x, 6.x * Date: 2010-June-16 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION ---------------------------------------------------------
The Views module provides a flexible method for Drupal site designers to control how lists and tables of content are presented. -------- CROSS SITE REQUEST FORGERY (CSRF) -----------------------------------
The Views UI module, which is included with Views, can be used to enable/disable Views by following a link to a particular page (e.g. admin/build/views/disable/frontpage). As no protections, such as form tokens, are in place to prevent forged requests to these pages, the feature is vulnerable to a Cross Site Request Forgery (CSRF [1]) that would allow an attacker to enable/disable all Views on a site. Mitigating factors: If Views UI module is disabled Views will no longer be affected by this vulnerability. This issue affects Views for Drupal 5 and Drupal 6. -------- CROSS SITE SCRIPTING (XSS) ------------------------------------------
Under certain circumstances, Views could display URLs or aggregator feed titles without escaping, resulting in a Cross Site Scripting (XSS [2]) vulnerability. An attacker could exploit this to gain full administrative access. This issue affects Views for Drupal 6 only. -------- VERSIONS AFFECTED ---------------------------------------------------
* Views module for Drupal 5.x versions prior to 5.x-1.8 * Views module for Drupal 6.x versions prior to 6.x-2.11
Drupal core is not affected. If you do not use the contributed Views [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Install the latest version: * If you use the Views module for Drupal 5.x upgrade to Views 5.x-1.8 [4] * If you use the Views module for Drupal 6.x upgrade to Views 6.x-2.11 [5]
See also the Views project page [6]. -------- REPORTED BY ---------------------------------------------------------
* The Cross Site Request Forgery (CSRF) vulnerability was reported by Martin Barbella (mbarbella [7]). * The Cross Site Scripting (XSS) vulnerabilities were reported by Earl Miles (merlinofchaos [8]), module maintainer and Daniel Wehner (dereine [9]), module co-maintainer
-------- FIXED BY ------------------------------------------------------------
* Earl Miles (merlinofchaos [10]), module maintainer
-------- CONTACT -------------------------------------------------------------
The Drupal security team [11] can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Csrf [2] http://en.wikipedia.org/wiki/Cross-site_scripting [3] http://drupal.org/project/views [4] http://drupal.org/node/829848 [5] http://drupal.org/node/829846 [6] http://drupal.org/project/views [7] http://drupal.org/user/633600 [8] http://drupal.org/user/26979 [9] http://drupal.org/user/99340 [10] http://drupal.org/user/26979 [11] http://drupal.org/security-team