Bug 740553 (CVE-2011-3373)

Summary: CVE-2011-3373 drupal6-views_bulk_operations: XSS due improper escaping of a vocabulary help (SA-CONTRIB-2011-042)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: peter.borsa, sven
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-10 07:53:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 740555, 740556    
Bug Blocks:    

Description Jan Lieskovsky 2011-09-22 12:45:42 UTC 
The Drupal views module provides a flexible method for Drupal site designers to control how lists of content (nodes) are presented. The Views Bulk Operations (VBO) Drupal module module augments views by allowing bulk operations to be executed on the nodes displayed by a view. It does so by showing a check box in front of each node, and adding a select box containing operations that can be applied on the selected nodes.

It was found in the way Drupal Views Builk Operations (VBO) module did not escape the vocabulary help properly, when the vocabulary has had user tagging enabled and "Modify node taxonomy terms" action was used for modification of the taxonomy. A remote attacker could provide a specially-crafted URL, which once visited by unsuspecting Drupal user, disposing with the 'administer taxonomy' permission, could lead to arbitrary HTML or web script execution (cross-site scripting [XSS] attack).

References:
[1] http://drupal.org/node/1286844
[2] http://secunia.com/advisories/46114/

Upstream solution:
Upgrage to 6.x-1.11:
[3] http://drupal.org/node/1286778
Comment 1 Jan Lieskovsky 2011-09-22 12:48:01 UTC 
This issue affects the versions of the drupal6-views_bulk_operations package, as shipped with Fedora release of 14 and Fedora release of 15. Please schedule an update.

--

This issue affects the versions of the drupal6-views_bulk_operations package, as present within EPEL-5 and EPEL-6 repositories. Please schedule an update.
Comment 2 Jan Lieskovsky 2011-09-22 12:55:42 UTC 
CVE request:
[4] http://www.openwall.com/lists/oss-security/2011/09/22/4
Comment 3 Jan Lieskovsky 2011-09-22 12:57:44 UTC 
Created drupal6-views_bulk_operations tracking bugs for this issue

Affects: fedora-all [bug 740555]
Affects: epel-all [bug 740556]
Comment 4 Jan Lieskovsky 2011-09-23 15:37:03 UTC 
The CVE identifier of CVE-2011-3373 has been assigned to this issue:
[5] http://www.openwall.com/lists/oss-security/2011/09/23/1
Comment 5 Fedora Update System 2011-10-09 21:00:01 UTC 
drupal6-views_bulk_operations-1.11-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2011-10-09 21:00:23 UTC 
drupal6-views_bulk_operations-1.11-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Jan Lieskovsky 2011-10-10 07:53:58 UTC 
This issue has been addressed in the following updates:
1) drupal6-views_bulk_operations-1.11-1.fc16,
2) drupal6-views_bulk_operations-1.11-1.fc15,
3) drupal6-views_bulk_operations-1.11-1.fc14,
4) drupal6-views_bulk_operations-1.11-1.el6,
5) drupal6-views_bulk_operations-1.11-1.el5.