Critical Alert!! - Views on Drupal 6

=========================================================================== AUSCERT External Security Bulletin Redistribution

                           ESB-2011.1103
    A number of vulnerabilities have been identified in Drupal
                        third-party modules
                          4 November 2011

===========================================================================

    AusCERT Security Bulletin Summary
    ---------------------------------

Product: Views (Drupal third-party module) HotBlocks (Drupal third-party module) Publisher: Drupal Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Cross-site Request Forgery -- Remote with User Interaction Cross-site Scripting -- Existing Account
Resolution: Patch/Upgrade

Comment: This bulletin contains two (2) Drupal security team security advisories.

• --------------------------BEGIN INCLUDED TEXT--------------------

  • Advisory ID: DRUPAL-SA-CONTRIB-2011-052
  • Project: Views [1] (third-party module)
  • Version: 6.x
  • Date: 2011-November-02
  • Security risk: Moderately critical [2]
  • Exploitable from: Remote
  • Vulnerability: SQL Injection

• -------- DESCRIPTION -------------------------------------------------------

The Views module enables you to list content in your site in various ways. The module doesn't sufficiently escape database parameters for certain filters/arguments on certain types of views with specific configurations of arguments.

• -------- VERSIONS AFFECTED -------------------------------------------------

  • Views 6.x-2.x versions prior to 6.x-2.13

Drupal core is not affected. If you do not use the contributed Views [3] module, there is nothing you need to do.

• -------- SOLUTION ----------------------------------------------------------

Install the latest version:

• Upgrade to Views 6.x-2.13 [4]

Views 6.x-2.14 [5] is also released today. It contains the security fix and new features and bug fixes.

See also the Views [6] project page.

• -------- REPORTED BY -------------------------------------------------------

  • Olli Vesslin [7]

• -------- FIXED BY ----------------------------------------------------------

  • dereine [8] the module co-maintainer

• -------- COORDINATED BY ----------------------------------------------------

  • Heine Deelstra [9] of the Drupal Security Team
  • Peter Wolanin [10] of the Drupal Security Team

• -------- CONTACT AND MORE INFORMATION --------------------------------------

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11].

Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14].

[1] http://drupal.org/project/views [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/views [4] http://drupal.org/node/1329842 [5] http://drupal.org/node/1329846 [6] http://drupal.org/project/views [7] http://drupal.org/user/789644 [8] http://drupal.org/user/99340 [9] http://drupal.org/user/17943 [10] http://drupal.org/user/49851 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

• Advisory ID: DRUPAL-SA-CONTRIB-2011-051
• Project: HotBlocks [1] (third-party module)
• Version: 6.x
• Date: 2011-November-02
• Security risk: Less critical [2]
• Exploitable from: Remote

• Vulnerability: Access bypass, Cross Site Scripting, Cross Site Request Forgery

  • -------- DESCRIPTION -------------------------------------------------------

The HotBlocks module provides a rich experience for managing blocks. The module contained multiple vulnerabilities including Cross Site Scripting (XSS), Access Bypass, and Cross Site Request Forgery (CSRF). XSS is mitigated by the fact that an attacker must have a role with the permission "administer hotblocks". The Access Bypass is mitigated by the fact that the module's author intended (but did not document) the bypass as a feature. The CSRF issue requires an authenticated user with sufficient permissions to be tricked into visiting a specially crafted URL.

• -------- VERSIONS AFFECTED -------------------------------------------------

  • HotBlocks 6.x-1.x versions prior to 6.x-1.6.

Drupal core is not affected. If you do not use the contributed HotBlocks [3] module, there is nothing you need to do.

• -------- SOLUTION ----------------------------------------------------------

Install the latest version:

• If you use the HotBlocks module for Drupal 6.x, upgrade to HotBlocks 6.x-1.6 [4]

See also the HotBlocks [5] project page.

• -------- REPORTED BY -------------------------------------------------------

  • Greg Knaddison [6] of the Drupal Security Team

• -------- FIXED BY ----------------------------------------------------------

  • Justin Dodge [7] the module maintainer

• -------- RELEASE COORDINATED BY --------------------------------------------

  • Greg Knaddison [8] of the Drupal Security Team

• -------- CONTACT AND MORE INFORMATION --------------------------------------

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9].

Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12].

[1] http://drupal.org/project/hotblocks [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/hotblocks [4] http://drupal.org/node/1329404 [5] http://drupal.org/project/hotblocks [6] http://drupal.org/user/36762 [7] http://drupal.org/user/238638 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration