I've attached a view export that exhibits this vulnerability. To reproduce, simply import and visit either views_ui or the views page path.

The security team has cleared this issue to be fixed publicly as this exploit requires administer views.

CommentFileSizeAuthor
#3 1506418-label-check.patch1.33 KBdawehner
#1 1506418-label-check.patch534 bytesdawehner
view_export.txt7.16 KBdstol
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner commented
Status: Active » Needs review
FileSize
1506418-label-check.patch534 bytes

Thanks for testing basically everything in terms of basic security. Here is a patch which should fix this particular issue.

dstol’s picture

dstol
Primary language English
CreditAttribution: dstol commented
Status: Needs review » Needs work

The patch in #1 fixes views issue but not views_ui.

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner commented
Status: Needs work » Needs review
FileSize
1506418-label-check.patch1.33 KB

Here are some more places, thanks for the proper review!

dstol’s picture

dstol
Primary language English
CreditAttribution: dstol commented
Status: Needs review » Reviewed & tested by the community

Confirmed fixed.

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner commented
Version: 7.x-3.x-dev » 6.x-3.x-dev
Status: Reviewed & tested by the community » Patch (to be ported)

Committed to 7.x-3.x, let's backport them to 6.x-3.x as well.

Chris Matthews’s picture

Chris Matthews CreditAttribution: Chris Matthews as a volunteer commented
Issue summary: View changes
Status: Patch (to be ported) » Closed (outdated)

The Drupal 6 branch is no longer supported, please check with the D6LTS project if you need further support. For more information as to why this issue was closed, please see issue #3030347: Plan to clean process issue queue