* Advisory ID: DRUPAL-SA-CONTRIB-2009-074 * Project: Webform (third-party module) * Version: 5.x, 6.x * Date: 2009-October-14 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION ---------------------------------------------------------
.... Cross-site scripting
The Webform module enables the creation of custom forms for collecting data from users. The Webform module does not properly escape field labels in certain situations. A malicious user with permission to create webforms could attempt a cross-site scripting (XSS [1]) attack when viewing the result, leading to the user gaining full administrative access. .... Session data disclosure
The Webform module fails to prevent the page from being cached when a default value uses token placeholders. This leads to disclosure of session variables to anonymous users when caching is enabled. -------- VERSIONS AFFECTED ---------------------------------------------------
* Webform for Drupal 6.x prior to 6.x-2.8 * Webform for Drupal 5.x prior to 5.x-2.8
Drupal core is not affected. If you do not use the contributed Webform module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Upgrade to the latest version: * If you use Webform for Drupal 6.x upgrade to Webform 6.x-2.8 [2] * If you use Webform for Drupal 5.x upgrade to Webform 5.x-2.8 [3]
See also the Webform project page [4]. -------- REPORTED BY ---------------------------------------------------------
The XSS issue was reported by Justine Klein Keane [5]. The session disclosure issue was reported by seattlehimay [6]. -------- FIXED BY ------------------------------------------------------------
The XSS issue was fixed by Greg Knaddison [7] of the Drupal Security Team. The session disclosure issue was fixed by Nathan Haug [8], the module maintainer. -------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/604920 [3] http://drupal.org/node/604922 [4] http://drupal.org/project/webform [5] http://drupal.org/user/302225 [6] http://druFpal.org/user/348366 [7] http://drupal.org/user/36762 [8] http://drupal.org/user/35821