* Advisory ID: DRUPAL-SA-CONTRIB-2011-055 * Project: Webform CiviCRM Integration [1] (third-party module) * Version: 6.x, 7.x * Date: 2011-November-09 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass, SQL Injection
-------- DESCRIPTION ---------------------------------------------------------
The Webform CiviCRM Integration module extends the functionality of the Webform Module [3] to link form submissions with a CiviCRM [4] database. Version 2.0 of the module added form validation based on CiviCRM data type. A flaw in the implementation of this feature caused other validation handlers to fail, so the Webform would be able to be submitted even if required fields were left blank, etc. Version 2.1 fixed this issue, but implemented validation in such a way as to leave a possible opening for SQL injection. Both issues are now fixed in version 2.2.
-------- VERSIONS AFFECTED ---------------------------------------------------
* Webform CiviCRM Integration prior to 6.x-2.2 * Webform CiviCRM Integration prior to 7.x-2.2
Drupal core is not affected. If you do not use the contributed Webform CiviCRM Integration [5] module, there is nothing you need to do.
-------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use the module for Drupal 6.x, upgrade to Webform CiviCRM Integration 6.x-2.2 [6] * If you use the module for Drupal 7.x, upgrade to Webform CiviCRM Integration 7.x-2.2 [7]
See also the Webform CiviCRM Integration [8] project page.
-------- REPORTED BY ---------------------------------------------------------
* Michał Mach [9]
-------- FIXED BY ------------------------------------------------------------
* Coleman Watts [10] the module maintainer
-------- COORDINATED BY ------------------------------------------------------
* Stéphane Corlosquet [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION ----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15].
[1] http://drupal.org/project/webform_civicrm [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/webform [4] http://civicrm.org [5] http://drupal.org/project/webform_civicrm [6] http://drupal.org/node/1336044 [7] http://drupal.org/node/1336046 [8] http://drupal.org/project/webform_civicrm [9] http://drupal.org/user/765720 [10] http://drupal.org/user/639856 [11] http://drupal.org/user/52142 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration