LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Fedora alert FEDORA-2010-6317 (drupal-views)



From:
    	      updates@fedoraproject.org 


To:
    	      package-announce@lists.fedoraproject.org 


Subject:
    	      [SECURITY] Fedora 12 Update: drupal-views-6.x.2.9-1.fc12 


Date:
    	      Sat, 10 Apr 2010 10:19:52 +0000


Message-ID:
    	      <20100410101952.9CD811107E8@bastion02.phx2.fedoraproject.org>


Archive-link:
    	      Article, Thread
              


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2010-6317
2010-04-10 08:51:29
--------------------------------------------------------------------------------

Name        : drupal-views
Product     : Fedora 12
Version     : 6.x.2.9
Release     : 1.fc12
URL         : http://drupal.org/project/views
Summary     : Provides a method for site designers to control content presentation
Description :
The views module provides a flexible method for Drupal site designers
to control how lists of content (nodes) are presented. Traditionally,
Drupal has hard-coded most of this, particularly in how taxonomy and
tracker lists are formatted.

This tool is essentially a smart query builder that, given enough
information, can build the proper query, execute it, and display the
results. It has four modes, plus a special mode, and provides an
impressive amount of functionality from these modes.

--------------------------------------------------------------------------------
Update Information:

SA-CONTRIB-2010-036 - Views - multiple vulnerabilities
------------------------------------------------------    * Advisory ID:
[DRUPAL-SA-CONTRIB-2010-036](http://drupal.org/node/765022)  * Project: Views
(third-party module)  * Version: 5.x, 6.x  * Date: 2010-April-7  * Security
risk: Critical  * Exploitable from: Remote  * Vulnerability: Cross Site
Scripting (XSS), arbitrary code execution    DESCRIPTION  -----------    The
Views module provides a flexible method for Drupal site designers to control how
lists of content are presented. Views accepts parameters in the URL and uses
them in an AJAX callback. The values were not filtered, thus allowing injection
of JavaScript code via the AJAX response. A user tricked into visiting a crafted
URL could be exposed to arbitrary script or HTML injected into the page. In
addition, the Views module does not properly sanitize file descriptions when
displaying them in a view, thus the the file desciptions may be used to inject
arbitrary script or HTML. Such cross site scripting [1] (XSS) attacks may lead
to a malicious user gaining full administrative access. These vulnerabilities
affect only the Drupal 6 version. The file description vulnerability is
mitigated by the fact that the attacker must have permission to upload files. In
both the Drupal 5 and Drupal 6 versions, users with permission to 'administer
views' can execute arbitrary PHP code using the views import feature. An
additional check for the permission 'use PHP for block visibility' has been
added to insure that the site administrator has already granted users of the
import functionality the permission to execute PHP.    VERSIONS AFFECTED
-----------------    * Versions of Views for Drupal 6.x prior to 6.x-2.9  *
Versions of Views for Drupal 5.x prior to 5.x-1.7    Note - the 6.x-3.x branch
alpha releases are affected also. If you do not use the contributed Views
module, there is nothing you need to do.    SOLUTION  --------    Install the
latest version:    * If you use Views for Drupal 6.x upgrade to Views 6.x-2.9
[2] or any later version.  * If you use Views for Drupal 6.x upgrade to Views
5.x-1.7 [3] or any later version.    Also see the Views [4] project page.
REPORTED BY  -----------    * XSS via AJAX parameters reported by Angel Lozano
Alcazar of S21Sec  * XSS via file descriptions reported by Martin Barbella [5]
* PHP execution reported by Derek Wright (dww [6]) of the Drupal Security Team
[7]    FIXED BY  --------    * Earl Miles (merlinofchaos [8]) Views project
maintainer.    CONTACT  -------    The security contact for Drupal can be
reached at security at drupal.org or via the form at http://drupal.org/contact.
* [1] http://en.wikipedia.org/wiki/Cross-site_scripting  * [2]
http://drupal.org/node/765088  * [3] http://drupal.org/node/765090  * [4]
http://drupal.org/project/views  * [5] http://drupal.org/user/633600  * [6]
http://drupal.org/user/46549  * [7] http://drupal.org/security-team  * [8]
http://drupal.org/user/26979
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr  8 2010 Jon Ciesla <limb@jcomserv.net> - 6.x.2.9-1
- New upstream, fixes SA-CONTRIB-2010-036.
* Tue Dec  1 2009 Jon Ciesla <limb@jcomserv.net> - 6.x.2.7-1
- New upstream, BZ 541440.
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update drupal-views' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-...
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds