[Security-news] SA-CONTRIB-2015-063 - Webform - Cross Site Scripting (XSS)
security-news at drupal.org
security-news at drupal.org
Wed Mar 4 19:46:25 UTC 2015
View online: https://www.drupal.org/node/2445935
* Advisory ID: DRUPAL-SA-CONTRIB-2015-063
* Project: Webform [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2015-March-04
* Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Webform enables you to create surveys, personalized contact forms, contests,
and the like.
-------- CROSS SITE SCRIPTING RELATED TO WEBFORM SUBMISSIONS
-----------------
The module doesn't sufficiently escape user data presented to administrative
users in the webform results table. This issue affects the 7.x-4.x branch
only.
This vulnerability is mitigated by the fact that an attacker must have a role
with permission to submit a webform and the administrative user must
subsequently visit the webform's results table tab.
To mitigate this vulnerability, you can disable the view-based results table
and restore the legacy hard-coded results table by adding this line to your
settings.php file:
<?php $conf['webform_table'] = TRUE;
?>
-------- CROSS SITE SCRIPTING RELATED TO BLOCKS
------------------------------
The module doesn't sufficiently escape node titles of webforms which
administrators may make available as blocks and displayed to any user. This
issue affects all 6.x and 7.x branches of the module.
This vulnerability is mitigated by the fact that an attacker must have a role
with permission to administer blocks and create or edit webform nodes.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* webform 6.x versions prior to 6.x-3.22.
* webform 7.x-3.x versions prior to 7.x-3.22.
* webform 7.x-4.x versions prior to 7.x-4.4.
Drupal core is not affected. If you do not use the contributed Webform [4]
module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the webform module for Drupal 6.x, upgrade to webform 6.x-3.22
[5]
* If you use the webform module for Drupal 7.x, upgrade to webform 7.x-3.22
[6] or webform 7.x-4.4 [7]
Also see the Webform [8] project page.
-------- REPORTED BY
---------------------------------------------------------
* Dan Chadwick [9], the module maintainer
-------- FIXED BY
------------------------------------------------------------
* Dan Chadwick [10], the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]
[1] https://www.drupal.org/project/webform
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/webform
[5] http://drupal.org/node/2445291
[6] http://drupal.org/node/2445295
[7] http://drupal.org/node/2445297
[8] https://www.drupal.org/project/webform
[9] https://www.drupal.org/user/504278
[10] https://www.drupal.org/user/504278
[11] https://www.drupal.org/user/36762
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity
More information about the Security-news
mailing list