Anyone got more info on yesterday's Views security update?

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
seanberto's picture

(http://drupal.org/node/999380 for reference)

The way that I read the description of this update, it only applies to user-generated content - allowing a malicious, logged-in user to post a URL that, if followed by an admin user (though it's not clear what permission exactly defines "admin" in this case), would provide the malicious user with super-user access.

My assumption is that this vulnerability isn't really applicable on a single-user Drupal site, i.e., a site that doesn't give out user accounts to potentially malicious users. Is that correct? Or could this cross-site scripting attack originate from a link in an email sent from a contact form? Or from another website?

Finally, the description of the vulnerability states that it's only applicable to certain configuration combinations. Anyone got any beta on that?

Thanks in advance,
Sean

Comments

CVS diff

seanberto's picture

For reference, I think that this is the only change that's applicable:

http://drupalcode.org/viewvc/drupal/contributions/modules/views/theme/th...

And here's an issue requesting more info:

http://drupal.org/node/999832

I'd just point out to others

mikey_p's picture

I'd just point out to others that may see this, that with all things Drupal, the issue usually isn't authenticated vs. non-authenticated, but the permissions that apply to the user. Its easy to quickly configure a site that is vulnerable to attack from anonymous users.

why XSS is really bad

greggles's picture

It's not so much a problem of "single user sites vs. multi user sites" it's about "what could someone do if they had your permissions on your site."

For an illustration of this point, check out a screencast created by Ben (coltrane) on how XSS can affect your site.