Drupal 6 Views Module XSS Vulnerability

2009.06.12

Credit: Justin Klein Keane

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Author: Justin C. Klein Keane <justin_at_madirish&#46;net>
Vendor Response:  See below

Details of this vulnerability are also posted at the public URL
http://lampsecurity.org/drupal-views-xss-vulnerability

Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through hundreds of
third party modules. The Drupal Views module
(http://drupal.org/project/views) allows administrators to control lists
and presentation of content. This frees maintainers from restrictions
imposed by taxonomy and allows administrators to build smart queries for
gathering result sets to display. The Views module contains a cross site
scripting (XSS) vulnerability that allows authenticated users with
'administer views' privileges to inject arbitrary HTML into certain
fields when defining custom views.

Systems affected:
- -----------------
Drupal 6.12 with Views 6.x-2.5 was tested and shown to be vulnerable

Mitigating factors:
- -------------------
Attacker must have 'administer views' permissions in order to exploit
this vulnerability.

Proof of concept:
- -----------------
1. Install Drupal 6.12.
2. Install Views and enable all Views functionality through Administer
- -> Modules
3. Click Administer -> Site Building -> Views
4. Click 'Add' to create a new View
5. Fill in arbitrary values for name, description, and tag
6. Select 'node' for 'View type'
7. In 'Basic settings' click 'Defaults' next to 'Name'
8. Enter "<script>alert('name');</script>" in "The name of this display"
textbox
9. Click "update" to view JavaScript alerts

Vendor Response
- ---------------
Upgrade to the latest version of Views. http://drupal.org/node/488068

- --

Justin C. Klein Keane
http://www.MadIrish.net
http://LAMPSecurity.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org

iPwEAQECAAYFAkowNQMACgkQkSlsbLsN1gDSdgb+Ob+cgT4JtVi8rrF3hXbwyeYI
uxNxGYDh4An6LY3nnc8PMNfUvMXbX1BG63TUYQkXM5DNxlprnNN+FZXDCcD62FZo
NjHthS/WiVNTYrRlKjByRdXeEtVx2gqqwrzVQhrQ7TiixPmIidQW1fggr+wt/MDS
XyNEh5/8tRCzan1Bn+bdXzfJXnkhycUPP1rJnAxUnV4FZbp7j7GmEd0AOBFfy+eY
BTstq3zqRtl0ZF2Ci1RJMJZw9YCH1zx/8n2WaGMm/8q4U6fiHjpoY1eGj59TQVqc
o39FPgH9Uxz2J1ofJUY=
=TbdX
-----END PGP SIGNATURE-----

References:

http://seclists.org/fulldisclosure/2009/Jun/0117.html

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Drupal 6 Views Module XSS Vulnerability

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.