SA-CONTRIB-2009-074- Webform - Multiple vulnerabilities - Security-news

15 Oct 2009


      * Advisory ID: DRUPAL-SA-CONTRIB-2009-074
  * Project: Webform (third-party module)
  * Version: 5.x, 6.x
  * Date: 2009-October-14
  * Security risk: Moderately critical
  * Exploitable from: Remote
  * Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION  
---------------------------------------------------------
.... Cross-site scripting
The Webform module enables the creation of custom forms for collecting data
from users. The Webform module does not properly escape field labels in
certain situations. A malicious user with permission to create webforms could
attempt a cross-site scripting (XSS [1]) attack when viewing the result,
leading to the user gaining full administrative access.
.... Session data disclosure
The Webform module fails to prevent the page from being cached when a default
value uses token placeholders. This leads to disclosure of session variables
to anonymous users when caching is enabled.
-------- VERSIONS AFFECTED  
---------------------------------------------------
* Webform for Drupal 6.x prior to 6.x-2.8
  * Webform for Drupal 5.x prior to 5.x-2.8
Drupal core is not affected. If you do not use the contributed Webform
module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------
Upgrade to the latest version:
  * If you use Webform for Drupal 6.x upgrade to Webform 6.x-2.8 [2]
  * If you use Webform for Drupal 5.x upgrade to Webform 5.x-2.8 [3]
See also the Webform project page [4].
-------- REPORTED BY  
---------------------------------------------------------
The XSS issue was reported by Justine Klein Keane [5]. The session disclosure
issue was reported by seattlehimay [6].
-------- FIXED BY  
------------------------------------------------------------
The XSS issue was fixed by Greg Knaddison [7] of the Drupal Security Team.
The session disclosure issue was fixed by Nathan Haug [8], the module
maintainer.
-------- CONTACT  
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/604920
[3] http://drupal.org/node/604922
[4] http://drupal.org/project/webform
[5] http://drupal.org/user/302225
[6] http://druFpal.org/user/348366
[7] http://drupal.org/user/36762
[8] http://drupal.org/user/35821