[Security-news] SA-CONTRIB-2009-074- Webform - Multiple vulnerabilities
security-news at drupal.org
security-news at drupal.org
Thu Oct 15 02:28:01 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-074
* Project: Webform (third-party module)
* Version: 5.x, 6.x
* Date: 2009-October-14
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION
---------------------------------------------------------
.... Cross-site scripting
The Webform module enables the creation of custom forms for collecting data
from users. The Webform module does not properly escape field labels in
certain situations. A malicious user with permission to create webforms could
attempt a cross-site scripting (XSS [1]) attack when viewing the result,
leading to the user gaining full administrative access.
.... Session data disclosure
The Webform module fails to prevent the page from being cached when a default
value uses token placeholders. This leads to disclosure of session variables
to anonymous users when caching is enabled.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Webform for Drupal 6.x prior to 6.x-2.8
* Webform for Drupal 5.x prior to 5.x-2.8
Drupal core is not affected. If you do not use the contributed Webform
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Upgrade to the latest version:
* If you use Webform for Drupal 6.x upgrade to Webform 6.x-2.8 [2]
* If you use Webform for Drupal 5.x upgrade to Webform 5.x-2.8 [3]
See also the Webform project page [4].
-------- REPORTED BY
---------------------------------------------------------
The XSS issue was reported by Justine Klein Keane [5]. The session disclosure
issue was reported by seattlehimay [6].
-------- FIXED BY
------------------------------------------------------------
The XSS issue was fixed by Greg Knaddison [7] of the Drupal Security Team.
The session disclosure issue was fixed by Nathan Haug [8], the module
maintainer.
-------- CONTACT
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/604920
[3] http://drupal.org/node/604922
[4] http://drupal.org/project/webform
[5] http://drupal.org/user/302225
[6] http://druFpal.org/user/348366
[7] http://drupal.org/user/36762
[8] http://drupal.org/user/35821
More information about the Security-news
mailing list