[Drupal] Information disclosure vulnerability of drupal views
Drupal is a stable,reliable, and robust Content Management System. Views is a Drupal module, which provides a flexible method for site designers to control how lists and tables of content, or any other type of content has to be presented. The views module was a contributed one and was later adapted to the core from Drupal 8.
Drupal views are being used by almost 75% of the Drupal based sites to present the elements in a page. Most of the websites still use the Views module versions such as 6.x. Drupal Views versions, 6.x-2.9, 6.x-2.10 and 6.x-2.11, in Drupal 6 are vulnerable.
The vulnerability
To test for the Proof of concept of this vulnerability, go to any Drupal website and browse the url ?q=admin/views/ajax/autocomplete/user/
A simple solution will be to set a permission for the ajax menu, or check if a user with the right permission is logged in or not. More precisely, the views module failed to provide access controls in the function views_ajax_autocomplete_user().
Vendor response
Several newer versions of the views module are available and updating to any one of them is the only solution put forward by the vendor. Otherwise, we have to use third party patches to resolve the issue, or we can write our own patch. Ultimately, Drupal security concluded that this is not a vulnerability and could be handled in public.