Drupal Views 6.x-2.5 XSS Vulnerability

30 November -0001

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through hundreds of third party modules. The Drupal Views module (http://drupal.org/project/views) allows administrators to control lists and presentation of content. This frees maintainers from restrictions imposed by taxonomy and allows administrators to build smart queries for gathering result sets to display. The Views module contains a cross site scripting (XSS) vulnerability that allows authenticated users with 'administer views' privileges to inject arbitrary HTML into certain fields when defining custom views.

Systems affected:

Drupal 6.12 with Views 6.x-2.5 was tested and shown to be vulnerable

Impact

XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise.

Mitigating factors:

Attacker must have 'administer views' permissions in order to exploit this vulnerability.

Proof of concept:

  1. Install Drupal 6.12.
  2. Install Views and enable all Views functionality through Administer -> Modules
  3. Click Administer -> Site Building -> Views
  4. Click 'Add' to create a new View
  5. Fill in arbitrary values for name, description, and tag
  6. Select 'node' for 'View type'
  7. In 'Basic settings' click 'Defaults' next to 'Name'
  8. Enter "<script>alert('name');</script>" in "The name of this display" textbox
  9. Click "update" to view JavaScript alerts

Vendor Response

Upgrade to the latest version of Views. http://drupal.org/node/488068