[Security-news] SA-CONTRIB-2010-036 - Views - multiple vulnerabilities
security-news at drupal.org
security-news at drupal.org
Thu Apr 8 00:36:04 UTC 2010
* Advisory ID: DRUPAL-SA-CONTRIB-2010-036
* Project: Views (third-party module)
* Version: 5.x, 6.x
* Date: 2010-April-7
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting (XSS), arbitrary code execution
-------- DESCRIPTION
---------------------------------------------------------
The Views module provides a flexible method for Drupal site designers to
control how lists of content are presented. Views accepts parameters in the
URL and uses them in an AJAX callback. The values were not filtered, thus
allowing injection of JavaScript code via the AJAX response. A user tricked
into visiting a crafted URL could be exposed to arbitrary script or HTML
injected into the page. In addition, the Views module does not properly
sanitize file descriptions when displaying them in a view, thus the the file
desciptions may be used to inject arbitrary script or HTML. Such cross site
scripting [1] (XSS) attacks may lead to a malicious user gaining full
administrative access. These vulnerabilities affect only the Drupal 6
version. The file description vulnerability is mitigated by the fact that the
attacker must have permission to upload files. In both the Drupal 5 and
Drupal 6 versions, users with permission to 'administer views' can execute
arbitrary PHP code using the views import feature. An additional check for
the permission 'use PHP for block visibility' has been added to insure that
the site administrator has already granted users of the import functionality
the permission to execute PHP.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Versions of Views for Drupal 6.x prior to 6.x-2.9
* Versions of Views for Drupal 5.x prior to 5.x-1.7
Note - the 6.x-3.x branch alpha releases are affected also. If you do not use
the contributed Views module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Views for Drupal 6.x upgrade to Views 6.x-2.9 [2] or any later
version.
* If you use Views for Drupal 6.x upgrade to Views 5.x-1.7 [3] or any later
version.
Also see the Views [4] project page.
-------- REPORTED BY
---------------------------------------------------------
* XSS via AJAX parameters reported by Angel Lozano Alcazar of S21Sec
* XSS via file descriptions reported by Martin Barbella [5]
* PHP execution reported by Derek Wright (dww [6]) of the Drupal Security
Team [7]
-------- FIXED BY
------------------------------------------------------------
* Earl Miles (merlinofchaos [8]) Views project maintainer.
-------- CONTACT
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/765088
[3] http://drupal.org/node/765090
[4] http://drupal.org/project/views
[5] http://drupal.org/user/633600
[6] http://drupal.org/user/46549
[7] http://drupal.org/security-team
[8] http://drupal.org/user/26979
More information about the Security-news
mailing list