Bug 1192959 - drupal-views: multiple vulnerabilities (SA-CONTRIB-2015-039)
Summary: drupal-views: multiple vulnerabilities (SA-CONTRIB-2015-039)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1192960 1192961 1192962 1192963 1192964
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-02-16 11:04 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:28 UTC (History)
14 users (show)

Fixed In Version: Views 6.x-2.18, Views 6.x-3.2, Views 7.x-3.10
Clone Of:
Environment:
Last Closed: 2016-06-10 21:01:43 UTC
Embargoed:

Attachments (Terms of Use)

Description Vasyl Kaigorodov 2015-02-16 11:04:40 UTC 
2 vulnerabilities were reported [1] in Drupal Views module.

Open redirect vulnerability

The module does not sanitize user provided URLs when processing the page to break the lock on Views being edited, thereby exposing an open redirect attack vector.

This vulnerability is mitigated by the fact that the Views UI submodule must be enabled.
Access bypass vulnerability

The module does not protect the default Views configurations that ship with the module sufficiently, thereby exposing possibly protected information to unprivileged users.

This vulnerability is mitigated by the fact that it only affects sites that have not granted the common "access content" or "access comments" permission to untrusted users. Furthermore, these default views configurations are disabled by default and must be enabled by an administrator.

CVE request:
http://seclists.org/oss-sec/2015/q1/549

[1]: https://www.drupal.org/node/2424403
Comment 2 Vasyl Kaigorodov 2015-02-16 11:06:45 UTC 
Created drupal6-views tracking bugs for this issue:

Affects: fedora-all [bug 1192960]
Affects: epel-all [bug 1192962]
Comment 3 Vasyl Kaigorodov 2015-02-16 11:06:48 UTC 
Created drupal7-views tracking bugs for this issue:

Affects: fedora-all [bug 1192961]
Affects: epel-all [bug 1192963]
Comment 4 Peter Borsa 2015-02-16 14:30:33 UTC 
Hi!

Do I need to edit drupal7-views update to add these BZ issue numbers(1192961, 1192963)? Because I've submitted them before you created these BZ issues.

Thanks!
Comment 5 Peter Borsa 2015-02-16 14:32:34 UTC 
As I can see Jon (limb) has updated drupal6-views as well.

https://admin.fedoraproject.org/updates/search/drupal6-views
Comment 6 Vasyl Kaigorodov 2015-02-17 09:41:04 UTC 
(In reply to Peter Borsa from comment #4)
> Do I need to edit drupal7-views update to add these BZ issue
> numbers(1192961, 1192963)? Because I've submitted them before you created
> these BZ issues.

Peter, for completeness and sanity I would say that it will be good to have both these BZs mentioned in the update.
Comment 7 Peter Borsa 2015-02-20 13:18:04 UTC 
Done, I've just added those ones. Thank you, Vasyl!
Comment 8 Fedora Update System 2015-02-23 08:03:50 UTC 
drupal6-views-2.18-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2015-02-28 17:57:31 UTC 
drupal6-views-2.18-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Peter Borsa 2015-04-23 06:20:54 UTC 
Hi Vasyl!

Can we close this issue because the updated modules are in stable repositories?
Comment 11 Vasyl Kaigorodov 2015-04-23 07:57:22 UTC 
(In reply to Peter Borsa from comment #10)
> Hi Vasyl!
> 
> Can we close this issue because the updated modules are in stable
> repositories?

Hi Peter,

Same as bug 1182940, this one affects OpenShift Online which is not yet fixed - this bug should remain open.
Comment 12 Peter Borsa 2015-04-23 07:59:20 UTC 
Hi,

Okay, thank you!
Note You need to log in before you can comment on or make changes to this bug.