Anyone got more info on yesterday's Views security update?

Events happening in the community are now at Drupal community events on www.drupal.org.
Posted by seanberto on December 16, 2010 at 5:11pm

(http://drupal.org/node/999380 for reference)

The way that I read the description of this update, it only applies to user-generated content - allowing a malicious, logged-in user to post a URL that, if followed by an admin user (though it's not clear what permission exactly defines "admin" in this case), would provide the malicious user with super-user access.

My assumption is that this vulnerability isn't really applicable on a single-user Drupal site, i.e., a site that doesn't give out user accounts to potentially malicious users. Is that correct? Or could this cross-site scripting attack originate from a link in an email sent from a contact form? Or from another website?

Finally, the description of the vulnerability states that it's only applicable to certain configuration combinations. Anyone got any beta on that?

Thanks in advance,
Sean

Comments

CVS diff

Posted by seanberto on December 16, 2010 at 5:21pm

For reference, I think that this is the only change that's applicable:

http://drupalcode.org/viewvc/drupal/contributions/modules/views/theme/th...

And here's an issue requesting more info:

http://drupal.org/node/999832

I'd just point out to others

Posted by mikey_p on December 16, 2010 at 8:28pm

I'd just point out to others that may see this, that with all things Drupal, the issue usually isn't authenticated vs. non-authenticated, but the permissions that apply to the user. Its easy to quickly configure a site that is vulnerable to attack from anonymous users.

why XSS is really bad

Posted by greggles on December 17, 2010 at 1:22am

It's not so much a problem of "single user sites vs. multi user sites" it's about "what could someone do if they had your permissions on your site."

For an illustration of this point, check out a screencast created by Ben (coltrane) on how XSS can affect your site.

Portland (Oregon)

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

AltStyle によって変換されたページ (->オリジナル) /