Fedora 9 : drupal-views-6.x.2.6-1.fc9 (2009-6171)

medium Nessus Plugin ID 39401

Synopsis

The remote Fedora host is missing a security update.

Description

- Advisory ID: DRUPAL-SA-CONTRIB-2009-037 [0] * Project:
Views * Versions: 6.x-2.x * Date: 2009-June-10 * Security risk: Moderately critical * Exploitable from:
Remote * Vulnerability: Cross Site Scripting (XSS), Access Bypass -------- DESCRIPTION
--------------------------------------------------------
- The Views module provides a flexible method for Drupal site designers to control how lists of content are presented. In the Views UI administrative interface when configuring exposed filters, user input presented as possible exposed filters is not correctly filtered, potentially allowing malicious users to insert arbitrary HTML and script code into these pages. In addition, content entered by users with 'administer views' permission into the View name when defining custom views is subsequently displayed without being filtered. Such cross site scripting [1] (XSS) attacks may lead to a malicious user gaining full administrative access. An access bypass may exist where unpublished content owned by the anonymous user (e.g. content created by a user whose account was later deleted) is visible to any anonymous user there is a view already configured to show it incorrectly. An additional access bypass may occur because Views may generate queries which disrespect node access control. Users may be able to access private content if they have permission to see the resulting View. -------- VERSIONS AFFECTED
--------------------------------------------------- * Versions of Views for Drupal 6.x prior to 6.x-2.6 Drupal core is not affected. If you do not use the Views module, there is nothing you need to do. -------- SOLUTION
--------------------------------------------------------
---- Install the latest version. * If you use Views for Drupal 6.x upgrade to 6.x-2.6 [2] In addition, preventing the node access bypass may require adding
*node: access filters* to the View manually if using relationships to nodes that might be restricted. Also see the Views project page [3]. -------- REPORTED BY
--------------------------------------------------------
- * The exposed filters XSS was reported by Derek Wright (dww [4]) of the Drupal Security Team [5] * The XSS from the view name was reported by Justin Klein Keane (Justin_KleinKeane [6]) * The unpublished content access bypass was reported by Brandon Bergren (bdragon [7]) * The node access query bypass was reported by Moshe Weitzman (moshe weitzman [8]) of the Drupal Security Team [9] -------- FIXED BY
--------------------------------------------------------
---- Earl Miles (merlinofchaos [10]) Views project maintainer. -------- CONTACT
--------------------------------------------------------
----- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category. [0] http://drupal.org/node/488068 [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/488082 [3] http://drupal.org/project/views [4] http://drupal.org/user/46549 [5] http://drupal.org/security-team [6] http://drupal.org/user/302225 [7] http://drupal.org/user/53081 [8] http://drupal.org/user/23 [9] http://drupal.org/security-team [10] http://drupal.org/user/26979

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected drupal-views package.

See Also

http://drupal.org/node/488068

http://drupal.org/node/488082

https://www.drupal.org/project/views

https://en.wikipedia.org/wiki/Cross-site_scripting

http://www.nessus.org/u?350b06f6

Plugin Details

Severity: Medium

ID: 39401

File Name: fedora_2009-6171.nasl

Version: 1.16

Type: local

Agent: unix

Published: 6/16/2009

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:drupal-views, cpe:/o:fedoraproject:fedora:9

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 6/15/2009

Vulnerability Publication Date: 6/15/2009

Reference Information

BID: 35304

FEDORA: 2009-6171