SA-CONTRIB-2010-111 - Views - Cross Site Scripting

.

At least from my perspective there is is no reason to not update to the 2.12.
Every kind of security fix should be applied.

See http://drupalcode.org/viewvc/drupal/contributions/modules/views/theme/th... for the diff.

@Dereine, that's a bit of a simplification. There are a lot of valid reasons not to apply code updates immediately just b/c a security announcement was made. And it's more than justified to evaluate the risk and schedule updates accordingly.

In this case, I believe that the risk is limited to exposed filters that use AJAX to refresh the views results. I could be wrong about this (hence the question). If it is the case, this issue affects a specific subset of the Drupal sites out there that use Views.

For those of us who support Drupal clients, it's probably safe in a lot of cases to wait to apply this update as part of routine, scheduled maintenance. But I'd love additional info in making this assessment. Again, I could be totally wrong about what the risk is.

Sorry please read the release announcement firs, before creating an issue: http://drupal.org/node/999386

This release contains only one change from 2.11, a fix for SA-CONTRIB-2010-111 - Views - Cross Site Scripting".

It thousands times better to have bugs then to have a security vulnerability on your site.

Additional you can always add the current version to your dev site, and test it out there.

Sorry, esmerel doesn't know anything about this issue, so can't help.

If you have a view with 1) AJAX enabled 2) an exposed filter and 3) an argument, then you are vulnerable to a specially crafted URL that can cause you to run an XSS attack.

2.12, as the release notes say, contains ONLY the patch and is otherwise identical to 2.11. The risk on update is minimal, and dereine looked at the patch so you can evaluate the code.

Dereine, the original poster referenced the security announcement, which doesn't allow for comments, and posted this thread to ask for further clarification. As far as I know, this is a completely appropriate workflow for asking a completely justifiable question.

Your response suggests that you were too busy to digest the question before closing out this ticket. If you are unwilling to elaborate on the configuration options in which this security risk presents itself b/c you don't want to further expose the exploit, please say so. But please don't dismiss this question b/c you're busy. There are other folks on this issue queue who could provide an answer.

The question stands:

The security announcement states that this vulnerability is limited to specific Views configurations. The urgency of applying this fix therefore depends upon the configurations specific to individual Views implementations. What are those configurations that are affected?

As far as I can tell, this vulnerability affects exposed filters that use AjAX for query refreshing. Is that correct?

Sorry, hit submit at the same time that Merlin's comment came in. Thanks for the clarification. Closing.

Sorry, we didn't write the SA, the security team handles that. I wrote the release notes. It seems most people don't read the release notes. I'm not sure what to do about that.

Aha. I checked the release notes and reviewed the changes to theme.inc before subscribing to this post and didn't see documentation of the specific AJAX/exposed filters/arguments configuration vulnerability. (Still don't see this documented in the notes @ http://drupal.org/node/999386 - not a complaint, just an observation).

Totally my fault for not immediately understanding the fix. Thank you so much for elaborating on this point! I can sleep easier knowing that I've got time to apply this update to the majority of my clients' sites, which aren't configured in this manner.

-s

Yea, it seems the the SA is rather vague about what precisely the attack is.

Well, the SA is vague on purpose so we don't give a roadmap to exploiting the attack.

The goal is to balance giving enough information so people know if they should update their site with a desire not to give away all of the details which could enable a script-kiddy to exploit it.

I uploaded the update yesterday and now a page on my site that shows my site "editors" which is a role a page (/content-summary) that listed the posts that are in a pending review (unpublished) state. Well now it (the content-summary page) shows the editor all content types not just the content type associated with their user role. I had to upload the old version and the issue was resolved right away. I need more info so I can patch the views module myself or maybe you need to review what you fixed because it broke something else.

Hey, dereine posted a link to the patch. It is highly highly highly unlikely that the patch here caused the problem you describe.

The link in #3 doesn't work anymore. I suspect the diff is now here: http://drupalcode.org/project/views.git/commitdiff/d1f6444dac32274c724a7...