=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN416
_____________________________________________________________________

DATE                      : 18/10/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running DRUPAL Views Bulk Operations.

======================================================================
http://drupal.org/node/933960
______________________________________________________________________


SA-CONTRIB-2010-099 - Views Bulk Operations - Access Bypass
Security advisories for contributed projects  Drupal 6.x
Drupal Security Team - October 6, 2010 - 21:32

    * Advisory ID: DRUPAL-SA-CONTRIB-2010-099
    * Project: Views Bulk Operations (third-party module)
    * Version: 6.x
    * Date: 2010-October-6
    * Security risk: Not critical
    * Exploitable from: Remote
    * Vulnerability: Access bypass

Description

Views Bulk Operations augments Views by allowing bulk operations to be executed
on the nodes and users displayed by a view. It does so by showing a checkbox in
front of each item, and adding a select box containing operations that can be
applied on the selected items.

In some circumstances, a malicious user could use Views Bulk Operation to cause
user 0 (the anonymous user) to be deleted. The effects of deleting user 0 vary
depending on the system configuration and the use of other contributed modules,
ranging from trivial errors to significant loss of functionality.

The risk is mitigated by the fact that a malicious user would need permission
to a view that lets him/her manage users through Views Bulk Operations in
order to exploit this vulnerability.

Versions affected

    * Views Bulk Operations for Drupal 6 prior to 6.x-1.10

Drupal core is not affected. If you do not use the contributed Views Bulk
Operations module, there is nothing you need to do.

Solution

Install the latest version:

    * If you use the Views Bulk Operations module for Drupal 6.x upgrade to
      Views Bulk Operations 6.x-1.10

See also the Views Bulk Operations project page.

Reported by

    * Joonas Kiminki (onaz)
    * Teemu Merikoski (tcmug)

Fixed by

    * Joonas Kiminki (onaz)
    * Teemu Merikoski (tcmug)

Contact

The Drupal security team can be reached at security at drupal.org or via the
form at http://drupal.org/contact.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================