Websites Graveyard
9 years ago
5 years ago


(Reporter: Paul Booker, Assigned: gozer)






9 years ago
Would you please go ahead and update stage / production, thanks

* Advisory ID: DRUPAL-SA-CONTRIB-2009-037
 * Project: Views
 * Versions: 6.x-2.x
 * Date: 2009-June-10
 * Security risk: Moderately critical
 * Exploitable from: Remote
 * Vulnerability: Cross Site Scripting (XSS), Access Bypass

-------- DESCRIPTION ---------------------------------------------------------

The Views module provides a flexible method for Drupal site designers to
control how lists of content are presented. In the Views UI administrative
interface when configuring exposed filters, user input presented as possible
exposed filters is not correctly filtered, potentially allowing malicious
users to insert arbitrary HTML and script code into these pages. In addition,
content entered by users with 'administer views' permission into the View
name when defining custom views is subsequently displayed without being
filtered. Such cross site scripting [1] (XSS) attacks may lead to a malicious
user gaining full administrative access. An access bypass may exist where
unpublished content owned by the anonymous user (e.g. content created by a
user whose account was later deleted) is visible to any anonymous user there
is a view already configured to show it incorrectly. An additional access
bypass may occur because Views may generate queries which disrespect node
access control. Users may be able to access private content if they have
permission to see the resulting View.
-------- VERSIONS AFFECTED ---------------------------------------------------

 * Versions of Views for Drupal 6.x prior to 6.x-2.6

Drupal core is not affected. If you do not use the Views module, there is
nothing you need to do.
-------- SOLUTION ------------------------------------------------------------

Install the latest version.
 * If you use Views for Drupal 6.x upgrade to 6.x-2.6 [2]

In addition, preventing the node access bypass may require adding *node:
access filters* to the View manually if using relationships to nodes that
might be restricted. Also see the Views project page [3].
-------- REPORTED BY ---------------------------------------------------------

 * The exposed filters XSS was reported by Derek Wright (dww [4]) of the
   Drupal Security Team [5]
 * The XSS from the view name was reported by Justin Klein Keane
   (Justin_KleinKeane [6])
 * The unpublished content access bypass was reported by Brandon Bergren
   (bdragon [7])
 * The node access query bypass was reported by Moshe Weitzman (moshe
   weitzman [8]) of the Drupal Security Team [9]

-------- FIXED BY ------------------------------------------------------------

Earl Miles (merlinofchaos [10]) Views project maintainer.
-------- CONTACT -------------------------------------------------------------


9 years ago
Assignee: nobody → gozer

Comment 1

9 years ago
Committed revision 1011.

drupal-views 2.6 installed in staging.

Comment 2

9 years ago
Would you please push through to production, thanks

Comment 3

9 years ago
Pushed to production.

Comment 4

9 years ago
Thanks Gozer.
Last Resolved: 9 years ago
Resolution: --- → FIXED
Component: →
Product: Websites → Websites Graveyard
You need to log in before you can comment on or make changes to this bug.