Fedora 11 : drupal-views-6.x.2.9-1.fc11 (2010-6356)

high Nessus Plugin ID 47432

Language:

Synopsis

The remote Fedora host is missing a security update.

Description

SA-CONTRIB-2010-036 - Views - multiple vulnerabilities
------------------------------------------------------ * Advisory ID:
[DRUPAL-SA-CONTRIB-2010-036](http://drupal.org/node/765022) * Project:
Views (third-party module) * Version: 5.x, 6.x * Date: 2010-April-7 * Security risk: Critical * Exploitable from: Remote * Vulnerability:
Cross Site Scripting (XSS), arbitrary code execution DESCRIPTION
----------- The Views module provides a flexible method for Drupal site designers to control how lists of content are presented. Views accepts parameters in the URL and uses them in an AJAX callback. The values were not filtered, thus allowing injection of JavaScript code via the AJAX response. A user tricked into visiting a crafted URL could be exposed to arbitrary script or HTML injected into the page.
In addition, the Views module does not properly sanitize file descriptions when displaying them in a view, thus the the file desciptions may be used to inject arbitrary script or HTML. Such cross site scripting [1] (XSS) attacks may lead to a malicious user gaining full administrative access. These vulnerabilities affect only the Drupal 6 version. The file description vulnerability is mitigated by the fact that the attacker must have permission to upload files. In both the Drupal 5 and Drupal 6 versions, users with permission to 'administer views' can execute arbitrary PHP code using the views import feature. An additional check for the permission 'use PHP for block visibility' has been added to insure that the site administrator has already granted users of the import functionality the permission to execute PHP. VERSIONS AFFECTED ----------------- * Versions of Views for Drupal 6.x prior to 6.x-2.9 * Versions of Views for Drupal 5.x prior to 5.x-1.7 Note - the 6.x-3.x branch alpha releases are affected also. If you do not use the contributed Views module, there is nothing you need to do. SOLUTION -------- Install the latest version: * If you use Views for Drupal 6.x upgrade to Views 6.x-2.9 [2] or any later version. * If you use Views for Drupal 6.x upgrade to Views 5.x-1.7 [3] or any later version. Also see the Views [4] project page. REPORTED BY ----------- * XSS via AJAX parameters reported by Angel Lozano Alcazar of S21Sec * XSS via file descriptions reported by Martin Barbella [5]

- PHP execution reported by Derek Wright (dww [6]) of the Drupal Security Team [7] FIXED BY -------- * Earl Miles (merlinofchaos [8]) Views project maintainer. CONTACT
------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

- [1] http://en.wikipedia.org/wiki/Cross-site_scripting * [2] http://drupal.org/node/765088 * [3] http://drupal.org/node/765090 * [4] http://drupal.org/project/views * [5] http://drupal.org/user/633600 * [6] http://drupal.org/user/46549 * [7] http://drupal.org/security-team * [8] http://drupal.org/user/26979

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected drupal-views package.

See Also

http://drupal.org/node/765022

http://drupal.org/node/765088

http://drupal.org/node/765090

https://www.drupal.org/project/views

https://en.wikipedia.org/wiki/Cross-site_scripting

http://www.nessus.org/u?1f86d8b1

Plugin Details

Severity: High

ID: 47432

File Name: fedora_2010-6356.nasl

Version: 1.13

Type: local

Agent: unix

Published: 7/1/2010

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:drupal-views, cpe:/o:fedoraproject:fedora:11

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Patch Publication Date: 4/10/2010

Vulnerability Publication Date: 4/10/2010

Reference Information

FEDORA: 2010-6356