Security issue because of unescaped field labels

Created on 19 September 2012, over 12 years ago
Updated 12 July 2024, 5 months ago

There is a serious security flaw in the code of field_views_field_default_views_data() function of /views/modules/field.views.inc file: assigning unescaped user input string to the label of the field. I suddenly stumble on it while writing my own custom filter handler. Fortunately, the fix is pretty obvious, so I attached the patch to this issue.

This security issue falls outside of the security advisory policy of the Drupal Security team. The vulnerability can only be exploited if the attacker has an elevated permission "administer fields". Therefore we can fix this in public and no private security report is necessary.

🐛 Bug report
Status

Active

Version

3.0

Component

Code

Created by

🇷🇺Russia RedRat

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • 🇦🇹Austria klausi 🇦🇹 Vienna

    This was released as backdrop security fix in https://backdropcms.org/security/backdrop-sa-core-2024-001

    Raising priority to critical as this is a small XSS vulnerability, but fortunately can only be exploited by trusted admins as Damien said.

    Setting to "needs work" as I think we should do the same fix as Backdrop.

  • Status changed to Needs review 6 months ago
  • 🇦🇹Austria klausi 🇦🇹 Vienna

    Ported patch from backdrop.

  • Status changed to RTBC 6 months ago
  • 🇸🇰Slovakia gresko8

    Thanks for the patch Klausi!

  • 🇺🇸United States DamienMcKenna NH, USA

    Thank you all for working on the fix and reviewing it.

  • 🇧🇷Brazil renatog Campinas

    If confirmed that is a security issue we should follow this instruction, right?!

    Warning message

    Security issues should not be reported here. Follow the procedure for reporting security issues .

  • 🇦🇹Austria klausi 🇦🇹 Vienna

    It is a security issue, but it falls outside of the security advisory policy of the Drupal Security team. The vulnerability can only be exploited if the attacker has an elevated permission "administer fields". Therefore we can fix this in public (not sure why Backdrop issued an advisory).

    Clarified that in the issue summary

  • 🇺🇸United States DamienMcKenna NH, USA

    Thanks Klausi.

    Put another way - this is a minor security hardening issue for some rare scenarios, rather than a something a non-admin would be able to exploit.

  • Status changed to Active 5 months ago
  • 🇦🇹Austria klausi 🇦🇹 Vienna

    Oh hm, @jenlampton replied in Slack that the Backdrop fix is not necessary for Drupal 7 because Views UI has an extra XSS filter that Backdrop does not have anymore. She is right, I tried to exploit this but could not get XSS to trigger when adding a field in the Views UI.

    Is there any other place where these field labels are displayed?

    Very sorry for the noise here, I should have tested my assumptions fully before escalating here. Downgrading the priority again and setting this back to active.

    For the Views module in Drupal 7 I think we should not remove the extra XSS filter in Views UI, even if there could be some double escaping then. Keeping the potential double escaping is the secure choice at this point in the late D7 cycle.

    Let me know if you see the XSS trigger and where exactly!

Production build 0.71.5 2024