Drupal Views Module Information Disclosure Vulnerability

30 November -0001

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules.

The Drupal Views (http://drupal.org/project/views) module "provides a flexible method for Drupal site designers to control how lists and tables of content (nodes in Views 1, almost anything in Views 2) are presented." The Views module contains an information disclosure vulnerability due to the fact that it allows access to user profile data.

Systems affected:

Drupal 6.16 with Views 6.x-2.9, 6.x-2.10 and 6.x-2.11 was tested and shown to be vulnerable.

Impact:

Information disclosure vulnerabilities such as this could allow malicious attackers to harvest username data in order to launch a targeted brute force attack against site users. This vulnerability exposes actual user names, so defensive strategies to protect usernams (such as using aliases, or the RealName (http://drupal.org/project/realname) module) cannot protect against this exposure. This method is particularly useful for finding the Drupal super user account (id 1) and other accounts that might not be exposed anywhere on the public facing site. This technique can be combined with brute force attack techniques described at http://madirish.net/index.html?article=443, http://www.madirish.net/?article=453, and http://madirish.net/index.html?article=464 to gain unauthorized access.

Mitigating factors:

Access content permission is required, but this permission is usually granted to anonymous users.

Proof of Concept:

  1. Install Drupal
  2. Install and enable the Views module
  3. Browse the site URL ?q=admin/views/ajax/autocomplete/user/a to view all users whose name starts with the letter 'a'
  4. Cycle through all letters to reveal complete list of site users

Technical details:

The Views module fails to provide access controls in the views_ajax_autocomplete_user() function.

Patch

Applying the following patch mitigates these threats in Drupal 6.16 with Views 6.x-2.8

--- views/includes/ajax.inc   2010-04-02 15:36:34.117075835 -0400
+++ views/includes/ajax.inc.fixed       2010-04-02 15:37:51.727276610 -0400
@@ -159,7 +159,7 @@ function views_ajax_autocomplete_user($s
  // Fetch last tag
  $last_string = trim(array_pop($array));
  $matches = array();
---  if ($last_string != '') {
+++  if ($last_string != '' && user_access('access user profiles')) {
    $prefix = count($array) ? implode(', ', $array) . ', ' : '';

    if (strpos('anonymous', strtolower($last_string)) !== FALSE) {

Vendor response:

Vendor was notified April 2, 2010 of this issue. Three versions of Views have been released since. Ultimately Drupal security decided that this was not a vulnerability and could be handled publicly.