[Drupal] Information disclosure vulnerability of drupal views

Drupal is a stable,reliable, and robust Content Management System. Views is a Drupal module, which provides a flexible method for site designers to control how lists and tables of content, or any other type of content has to be presented. The views module was a contributed one and was later adapted to the core from Drupal 8.

Drupal views are being used by almost 75% of the Drupal based sites to present the elements in a page. Most of the websites still use the Views module versions such as 6.x. Drupal Views versions, 6.x-2.9, 6.x-2.10 and 6.x-2.11, in Drupal 6 are vulnerable.

The vulnerability

To test for the Proof of concept of this vulnerability, go to any Drupal website and browse the url ?q=admin/views/ajax/autocomplete/user/. This will list out the first n number of usernames starting with the character given. For eg: if you have given the url as ?q=admin/views/ajax/autocomplete/user/a the n usernames starting with a will be listed. This vulnerability could lead to exposing important user names, thus keeping the site open to brute-force or dictionary attacks. This vulnerability actually exposes the original usernames so that certain modules for user name aliasing will be prone to this attack.

A simple solution will be to set a permission for the ajax menu, or check if a user with the right permission is logged in or not. More precisely, the views module failed to provide access controls in the function views_ajax_autocomplete_user().

Vendor response

Several newer versions of the views module are available and updating to any one of them is the only solution put forward by the vendor. Otherwise, we have to use third party patches to resolve the issue, or we can write our own patch. Ultimately, Drupal security concluded that this is not a vulnerability and could be handled in public.