Synopsis
The remote Fedora host is missing a security update.
Description
- Advisory ID: DRUPAL-SA-CONTRIB-2010-067 (http://drupal.org/node/829840) * Project: Views (third-party module) * Version: 5.x, 6.x * Date:
2010-June-16 * Security risk: Less critical * Exploitable from: Remote
- Vulnerability: Multiple vulnerabilities -------- DESCRIPTION
--------------------------------------------------------
- The Views module provides a flexible method for Drupal site designers to control how lists and tables of content are presented. -------- CROSS SITE REQUEST FORGERY (CSRF) ----------------------------------- The Views UI module, which is included with Views, can be used to enable/disable Views by following a link to a particular page (e.g.
admin/build/views/disable/frontpage). As no protections, such as form tokens, are in place to prevent forged requests to these pages, the feature is vulnerable to a Cross Site Request Forgery (CSRF [1]) that would allow an attacker to enable/disable all Views on a site.
Mitigating factors: If Views UI module is disabled Views will no longer be affected by this vulnerability. This issue affects Views for Drupal 5 and Drupal 6. -------- CROSS SITE SCRIPTING (XSS)
------------------------------------------ Under certain circumstances, Views could display URLs or aggregator feed titles without escaping, resulting in a Cross Site Scripting (XSS [2]) vulnerability. An attacker could exploit this to gain full administrative access. This issue affects Views for Drupal 6 only. -------- VERSIONS AFFECTED
--------------------------------------------------- * Views module for Drupal 5.x versions prior to 5.x-1.8 * Views module for Drupal 6.x versions prior to 6.x-2.11 Drupal core is not affected. If you do not use the contributed Views [3] module, there is nothing you need to do. -------- SOLUTION
--------------------------------------------------------
---- Install the latest version: * If you use the Views module for Drupal 5.x upgrade to Views 5.x-1.8 [4] * If you use the Views module for Drupal 6.x upgrade to Views 6.x-2.11 [5] See also the Views project page [6].
-------- REPORTED BY
--------------------------------------------------------
- * The Cross Site Request Forgery (CSRF) vulnerability was reported by Martin Barbella (mbarbella [7]). * The Cross Site Scripting (XSS) vulnerabilities were reported by Earl Miles (merlinofchaos [8]), module maintainer and Daniel Wehner (dereine [9]), module co-maintainer
-------- FIXED BY
--------------------------------------------------------
---- * Earl Miles (merlinofchaos [10]), module maintainer -------- CONTACT
--------------------------------------------------------
----- The Drupal security team [11] can be reached at security at drupal.org or via the form at http://drupal.org/contact. * [1] http://en.wikipedia.org/wiki/Csrf * [2] http://en.wikipedia.org/wiki/Cross-site_scripting * [3] http://drupal.org/project/views * [4] http://drupal.org/node/829848 * [5] http://drupal.org/node/829846 * [6] http://drupal.org/project/views * [7] http://drupal.org/user/633600 * [8] http://drupal.org/user/26979 * [9] http://drupal.org/user/99340 * [10] http://drupal.org/user/26979 * [11] http://drupal.org/security-team
Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
Solution
Update the affected drupal-views package.
Plugin Details
File Name: fedora_2010-10215.nasl
Agent: unix
Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus
Vulnerability Information
CPE: p-cpe:/a:fedoraproject:fedora:drupal-views, cpe:/o:fedoraproject:fedora:13
Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list
Patch Publication Date: 6/21/2010
Vulnerability Publication Date: 6/21/2010