* Advisory ID: DRUPAL-SA-CONTRIB-2009-074 * Project: Webform (third-party module) * Version: 5.x, 6.x * Date: 2009-October-14 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- .... Cross-site scripting The Webform module enables the creation of custom forms for collecting data from users. The Webform module does not properly escape field labels in certain situations. A malicious user with permission to create webforms could attempt a cross-site scripting (XSS [1]) attack when viewing the result, leading to the user gaining full administrative access. .... Session data disclosure The Webform module fails to prevent the page from being cached when a default value uses token placeholders. This leads to disclosure of session variables to anonymous users when caching is enabled. -------- VERSIONS AFFECTED --------------------------------------------------- * Webform for Drupal 6.x prior to 6.x-2.8 * Webform for Drupal 5.x prior to 5.x-2.8 Drupal core is not affected. If you do not use the contributed Webform module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Webform for Drupal 6.x upgrade to Webform 6.x-2.8 [2] * If you use Webform for Drupal 5.x upgrade to Webform 5.x-2.8 [3] See also the Webform project page [4]. -------- REPORTED BY --------------------------------------------------------- The XSS issue was reported by Justine Klein Keane [5]. The session disclosure issue was reported by seattlehimay [6]. -------- FIXED BY ------------------------------------------------------------ The XSS issue was fixed by Greg Knaddison [7] of the Drupal Security Team. The session disclosure issue was fixed by Nathan Haug [8], the module maintainer. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/604920 [3] http://drupal.org/node/604922 [4] http://drupal.org/project/webform [5] http://drupal.org/user/302225 [6] http://druFpal.org/user/348366 [7] http://drupal.org/user/36762 [8] http://drupal.org/user/35821