Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-162: Drupal Views Module Multiple Security Bypass and HTML Injection Vulnerabilities

June 16, 2009 13:00 GMT
PROBLEM: Drupal Views Module lets attackers bypass security and inject HTML and scripts into pages.
PLATFORM: RedHat Fedora 9 0 RedHat Fedora 10 Drupal Views Module 6.x-2.5 Drupal Views Module 6.X-2.2 Drupal Views Module 6.X-2.2 Drupal Views Module 6.x-2.1 Drupal Views Module 6.x-2.0
ABSTRACT: An attacker may exploit these vulnerabilities to bypass intended access controls or to render arbitrary HTML and script code in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-162.shtml
  OTHER LINKS: Security Focus
http://www.securityfocus.com/bid/35304/info
Drupal
http://drupal.org/
Drupal Views
http://drupal.org/project/views
Drupal Node
http://drupal.org/node/488068
IMPACT ASSESSMENT: This risk is rated medium. Could remotely compromise trusted systems. 
[******  Bulletin Goes Here ******]
Discussion:
The Views module for Drupal is prone to multiple security-bypass and HTML-injection vulnerabilities.

An attacker may exploit these vulnerabilities to bypass intended access controls or to render arbitrary HTML and script code
in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or
to control how the site is rendered to the user. Other attacks are also possible.

Versions prior to Views 6.x-2.6 are vulnerable.

Attackers can exploit these issues via a browser.

Vendor updates are available.

Updates:

Drupal Views Module 6.X-2.2

    * Drupal views-6.x-2.6.tar.gz
      http://ftp.drupal.org/files/projects/views-6.x-2.6.tar.gz

Drupal Views Module 6.x-2.1

    * Drupal views-6.x-2.6.tar.gz
      http://ftp.drupal.org/files/projects/views-6.x-2.6.tar.gz

Drupal Views Module 6.x-2.5

    * Drupal views-6.x-2.6.tar.gz
      http://ftp.drupal.org/files/projects/views-6.x-2.6.tar.gz

Drupal Views Module 6.x-2.0

    * Drupal views-6.x-2.6.tar.gz
      http://ftp.drupal.org/files/projects/views-6.x-2.6.tar.gz

Drupal Views Module 6.X-2.2

    * Drupal views-6.x-2.6.tar.gz
      http://ftp.drupal.org/files/projects/views-6.x-2.6.tar.gz
DOE-CIRC wishes to acknowledge the contributions of Derek Wright and Moshe Weitzman of the Drupal Security Team; Justin Klein Keane; Brandon Bergren for the information contained in this bulletin.
DOECIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788