* Advisory ID: DRUPAL-SA-CONTRIB-2011-014 * Project: Webform Block (third-party module) * Version: 6.x * Date: 2011-March-23 * Security risk: Moderately critical (definition of risk levels) [1] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Webform Block module enables users to make a webform available as a block. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [2]) vulnerability that may lead to a malicious user gaining full administrative access. The vulnerability is mitigated by the fact that a malicious user must be assigned a role that includes permission to create and/or edit webforms. -------- VERSIONS AFFECTED --------------------------------------------------- * Webform Block module for Drupal 6.x versions prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed Webform Block [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Webform Block module for Drupal 6.x upgrade to Webform Block 6.x-1.2 [4] See also the Webform Block project page [5]. -------- REPORTED BY --------------------------------------------------------- * Dylan Wilder-Tack (grendzy [6]) of the Drupal security team -------- FIXED BY ------------------------------------------------------------ * Dylan Wilder-Tack (grendzy [7]) of the Drupal security team * Mike Carter (budda [8]), module maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact. Learn more about the team and their policies [9], writing secure code for Drupal [10], and secure configuration [11] of your site. [1] http://drupal.org/security-team/risk-levels [2] http://en.wikipedia.org/wiki/Cross-site_scripting [3] http://drupal.org/project/webformblock [4] http://drupal.org/node/1101996 [5] http://drupal.org/project/webformblock [6] http://drupal.org/user/96647 [7] http://drupal.org/user/96647 [8] http://drupal.org/user/13164 [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration