[Security-news] Webform - Moderately critical - Access bypass - SA-CONTRIB-2020-012

[security-news at drupal.org]

View online: https://www.drupal.org/sa-contrib-2020-012

Project: Webform [1]
Date: 2020-May-06
Security risk: *Moderately critical* 13∕25
AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass

Description: 
This module enables you to build forms and surveys in Drupal.

The module doesn't sufficiently validate data submitted into Webform
Signature element during webform submission creation. This allows a malicious
user to generate and extract HMAC hashes for arbitrary data. Such HMAC hashes
are used across multiple spots in Drupal 8 core and contrib modules.

An extracted HMAC hash could be used to view restricted site content or log
in as another user in certain situations.

This vulnerability is mitigated by the fact that an attacker must be able to
create a webform submission with "Signature" element and then be able to view
the submission.

For Drupal instances that have "Signature" webform element available to users
with low trust, it is advised to change the value of the hash salt within
settings.php file to a new random value. Below we reference the specific
extract from settings.php that is advised for change in such Drupal
instances:


/**
    * Salt for one-time login links, cancel links, form tokens, etc.
    *
    * This variable will be set to a random value by the installer. All
one-time
    * login links will be invalidated if the value is changed. Note that if
your
    * site is deployed on a cluster of web servers, you must ensure that this
    * variable has the same value on each server.
    *
    * For enhanced security, you may set this variable to the contents of a
file
    * outside your document root; you should also ensure that this file is not
    * stored with backups of your database.
    *
    * Example:
    * @code
    *   $settings['hash_salt'] = file_get_contents('/home/example/salt.txt');
    * @endcode
    */
$settings['hash_salt'] = 'new-value-here';

Solution: 
Install the latest version:

   * If you use the Webform module for Drupal 8, upgrade to Webform 8.x-5.11
     [3]

Also see the Webform [4] project page.

Reported By: 
   * Heine  [5] of the Drupal Security Team

Fixed By: 
   * Jacob Rockowitz  [6]

Coordinated By: 
   * Greg Knaddison [7] of the Drupal Security Team


[1] https://www.drupal.org/project/webform
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/webform/releases/8.x-5.11
[4] https://www.drupal.org/project/webform
[5] https://www.drupal.org/user/17943
[6] https://www.drupal.org/user/371407
[7] https://www.drupal.org/user/36762