Closed Bug 496182 Opened 15 years ago Closed 15 years ago

SA-CONTRIB-2009-032 - Webform - Cross-site scripting

Categories

(Infrastructure & Operations Graveyard :: WebOps: Other, task)

Product:
Infrastructure & Operations Graveyard
Component:
WebOps: Other
Type:
task
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: abuchanan, Assigned: oremj)

References

Details

(Keywords: wsec-xss) 

* Advisory ID: DRUPAL-SA-CONTRIB-2009-032
 * Project: Webform (third-party module)
 * Versions: 5.x, 6.x
 * Date: 2009-June-03
 * Security risk: Moderately critical
 * Exploitable from: Remote
 * Vulnerability: Cross-site scripting

-------- DESCRIPTION ---------------------------------------------------------

The Webform module provides a node type which is typically used to enable
site visitors to fill in questionnaires, contact or request/registration
forms, surveys, polls, or other forms on a Drupal site. When displaying the
results of Webform submissions, the module does not properly filter user
entered data, leading to a cross-site scripting [1] (XSS) vulnerability on
sites with a specific configuration of input formats that would normally be
safe. Such an attack carried out against a sufficiently privileged user may
lead a malicious user to gain administrator access to the site.
-------- VERSIONS AFFECTED ---------------------------------------------------

 * Versions of Webform for Drupal 5.x prior to 5.x-2.7
 * Versions of Webform for Drupal 6.x prior to 6.x-2.7

Drupal core is not affected. If you do not use the contributed Webform
module, there is nothing you need to do.
-------- SOLUTION ------------------------------------------------------------

Install the latest version:
 * If you use Webform for Drupal 5.x, upgrade to Webform 5.x-2.7 [2].
 * If you use Webform for Drupal 6.x, upgrade to Webform 6.x-2.7 [3].
This affects SFx and QMO


See also the Webform project page [4].
-------- REPORTED BY ---------------------------------------------------------

David Rothstein [5]
-------- FIXED BY ------------------------------------------------------------

Nathan Haug (quicksketch [6]), and David Rothstein [7] of the Drupal Security
Team [8]
-------- CONTACT -------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/481260
[3] http://drupal.org/node/481258
[4] http://drupal.org/project/webform
[5] http://drupal.org/user/124982
[6] http://drupal.org/user/35821
[7] http://drupal.org/user/124982
[8] http://drupal.org/security-team

_______________________________________________
Security-news mailing list
Security-news@drupal.org
http://lists.drupal.org/listinfo/security-news
r27034 and r27035 update webform on QMO and SFx

Paul, Tomcat, could you please check webform on QMO stage and give the go ahead to tag for production?
Confirmed that webform on QMO stage is up to version 6.x-2.7.
Alex, did you commit on production too?
not yet, tagging for production now
Over to IT to svn up production and run updates.php on QMO and SFx, please.  Thanks everyone.

QMO:

Sending        tags/production/sites/all/modules/webform
Sending        tags/production/sites/all/modules/webform/components/date.inc
Sending        tags/production/sites/all/modules/webform/components/email.inc
Sending        tags/production/sites/all/modules/webform/components/fieldset.inc
Sending        tags/production/sites/all/modules/webform/components/file.inc
Sending        tags/production/sites/all/modules/webform/components/grid.inc
Sending        tags/production/sites/all/modules/webform/components/hidden.inc
Sending        tags/production/sites/all/modules/webform/components/markup.inc
Sending        tags/production/sites/all/modules/webform/components/pagebreak.inc
Sending        tags/production/sites/all/modules/webform/components/select.inc
Sending        tags/production/sites/all/modules/webform/components/textarea.inc
Sending        tags/production/sites/all/modules/webform/components/textfield.inc
Sending        tags/production/sites/all/modules/webform/components/time.inc
Sending        tags/production/sites/all/modules/webform/tests/components.test
Sending        tags/production/sites/all/modules/webform/tests/permissions.test
Sending        tags/production/sites/all/modules/webform/tests/submission.test
Sending        tags/production/sites/all/modules/webform/tests/webform.test
Sending        tags/production/sites/all/modules/webform/translations/de.po
Sending        tags/production/sites/all/modules/webform/translations/el.po
Sending        tags/production/sites/all/modules/webform/translations/nl.po
Sending        tags/production/sites/all/modules/webform/translations/webform.pot
Sending        tags/production/sites/all/modules/webform/webform-confirmation.tpl.php
Sending        tags/production/sites/all/modules/webform/webform-form.tpl.php
Sending        tags/production/sites/all/modules/webform/webform-mail.tpl.php
Sending        tags/production/sites/all/modules/webform/webform.css
Sending        tags/production/sites/all/modules/webform/webform.info
Sending        tags/production/sites/all/modules/webform/webform.install
Sending        tags/production/sites/all/modules/webform/webform.js
Sending        tags/production/sites/all/modules/webform/webform.module
Sending        tags/production/sites/all/modules/webform/webform_components.inc
Sending        tags/production/sites/all/modules/webform/webform_export.inc
Sending        tags/production/sites/all/modules/webform/webform_report.inc
Sending        tags/production/sites/all/modules/webform/webform_submissions.inc
Transmitting file data ................................
Committed revision 27038.


SFX:

Sending        tags/production/sites/all/modules/webform
Sending        tags/production/sites/all/modules/webform/THEMING.txt
Sending        tags/production/sites/all/modules/webform/components/date.inc
Sending        tags/production/sites/all/modules/webform/components/email.inc
Sending        tags/production/sites/all/modules/webform/components/fieldset.inc
Sending        tags/production/sites/all/modules/webform/components/file.inc
Sending        tags/production/sites/all/modules/webform/components/grid.inc
Sending        tags/production/sites/all/modules/webform/components/hidden.inc
Sending        tags/production/sites/all/modules/webform/components/markup.inc
Sending        tags/production/sites/all/modules/webform/components/pagebreak.inc
Sending        tags/production/sites/all/modules/webform/components/select.inc
Sending        tags/production/sites/all/modules/webform/components/textarea.inc
Sending        tags/production/sites/all/modules/webform/components/textfield.inc
Sending        tags/production/sites/all/modules/webform/components/time.inc
Sending        tags/production/sites/all/modules/webform/po/da.po
Sending        tags/production/sites/all/modules/webform/po/de.po
Sending        tags/production/sites/all/modules/webform/po/el.po
Sending        tags/production/sites/all/modules/webform/po/es.po
Sending        tags/production/sites/all/modules/webform/po/fr.po
Sending        tags/production/sites/all/modules/webform/po/he.po
Sending        tags/production/sites/all/modules/webform/po/hu.po
Sending        tags/production/sites/all/modules/webform/po/it.po
Sending        tags/production/sites/all/modules/webform/po/nl.po
Sending        tags/production/sites/all/modules/webform/po/ru.po
Sending        tags/production/sites/all/modules/webform/po/sv.po
Sending        tags/production/sites/all/modules/webform/po/webform.pot
Sending        tags/production/sites/all/modules/webform/webform.css
Sending        tags/production/sites/all/modules/webform/webform.info
Sending        tags/production/sites/all/modules/webform/webform.install
Sending        tags/production/sites/all/modules/webform/webform.module
Sending        tags/production/sites/all/modules/webform/webform_components.inc
Sending        tags/production/sites/all/modules/webform/webform_report.inc
Sending        tags/production/sites/all/modules/webform/webform_submissions.inc
Transmitting file data ................................
Committed revision 27039.
Assignee: nobody → server-ops
Component: Other → Server Operations: Web Content Push
Product: Websites → mozilla.org
QA Contact: other → mrz
Version: unspecified → other
Thanks Alex!
Assignee: server-ops → oremj
bug 496378 tags sfx 3.0.1 for production.  This bug and that bug can be launched at the same time.
making this critical just to make sure it's on the radar for today
Severity: normal → critical
quality.mozilla.org]# svn up
U    sites/all/themes/qmo/qmo.js
U    sites/all/themes/qmo/css/mozqa.css
A    sites/all/modules/webform/translations/cs.po
U    sites/all/modules/webform/translations/webform.pot
U    sites/all/modules/webform/translations/de.po
U    sites/all/modules/webform/translations/nl.po
A    sites/all/modules/webform/translations/ja.po
A    sites/all/modules/webform/translations/sk.po
U    sites/all/modules/webform/translations/el.po
U    sites/all/modules/webform/webform.module
U    sites/all/modules/webform/components/email.inc
U    sites/all/modules/webform/components/textfield.inc
U    sites/all/modules/webform/components/hidden.inc
U    sites/all/modules/webform/components/date.inc
U    sites/all/modules/webform/components/textarea.inc
U    sites/all/modules/webform/components/time.inc
U    sites/all/modules/webform/components/fieldset.inc
U    sites/all/modules/webform/components/file.inc
U    sites/all/modules/webform/components/markup.inc
U    sites/all/modules/webform/components/select.inc
U    sites/all/modules/webform/components/pagebreak.inc
U    sites/all/modules/webform/components/grid.inc
U    sites/all/modules/webform/webform-form.tpl.php
U    sites/all/modules/webform/webform.css
U    sites/all/modules/webform/webform.info
U    sites/all/modules/webform/tests/webform.test
U    sites/all/modules/webform/tests/components.test
U    sites/all/modules/webform/tests/permissions.test
U    sites/all/modules/webform/tests/submission.test
U    sites/all/modules/webform/webform_report.inc
U    sites/all/modules/webform/webform-mail.tpl.php
U    sites/all/modules/webform/webform.install
U    sites/all/modules/webform/webform_submissions.inc
U    sites/all/modules/webform/webform_export.inc
U    sites/all/modules/webform/webform-confirmation.tpl.php
U    sites/all/modules/webform/webform.js
A    sites/all/modules/webform/po
A    sites/all/modules/webform/po/da.po
A    sites/all/modules/webform/po/cs.po
A    sites/all/modules/webform/po/webform.pot
A    sites/all/modules/webform/po/ru.po
A    sites/all/modules/webform/po/es.po
A    sites/all/modules/webform/po/fr.po
A    sites/all/modules/webform/po/de.po
A    sites/all/modules/webform/po/sv.po
A    sites/all/modules/webform/po/nl.po
A    sites/all/modules/webform/po/he.po
A    sites/all/modules/webform/po/hu.po
A    sites/all/modules/webform/po/it.po
A    sites/all/modules/webform/po/sk.po
A    sites/all/modules/webform/po/el.po
U    sites/all/modules/webform/webform_components.inc
 U   sites/all/modules/webform
Updated to revision 27162.

www.spreadfirefox.com]# svn up
U    sites/all/themes/sfxBB/page-footer.tpl.php
A    sites/all/themes/sfxBB/img/sumo-icon.png
U    sites/all/themes/sfxBB/page-affiliates-get_button.tpl.php
A    sites/all/themes/sfxBB/page-contact-us.tpl.php
U    sites/all/themes/sfxBB/page-header.tpl.php
U    sites/all/themes/sfxBB/css/main.css
 U   sites/all/themes/sfxBB
U    sites/all/modules/sfx_photostream/sfx_photostream.module
 U   sites/all/modules/sfx_photostream
U    sites/all/modules/sfx_affiliates/sfx_affiliates.module
 U   sites/all/modules/sfx_affiliates
A    sites/all/modules/sfx/tests
A    sites/all/modules/sfx/tests/sfx_affiliates.test
U    sites/all/modules/sfx/sfx.module
 U   sites/all/modules/sfx
U    sites/all/modules/webform/components/email.inc
U    sites/all/modules/webform/components/textfield.inc
U    sites/all/modules/webform/components/hidden.inc
U    sites/all/modules/webform/components/date.inc
U    sites/all/modules/webform/components/textarea.inc
U    sites/all/modules/webform/components/time.inc
U    sites/all/modules/webform/components/fieldset.inc
U    sites/all/modules/webform/components/file.inc
U    sites/all/modules/webform/components/markup.inc
U    sites/all/modules/webform/components/select.inc
U    sites/all/modules/webform/components/pagebreak.inc
U    sites/all/modules/webform/components/grid.inc
U    sites/all/modules/webform/webform.module
U    sites/all/modules/webform/webform.css
U    sites/all/modules/webform/webform.info
U    sites/all/modules/webform/webform_report.inc
U    sites/all/modules/webform/webform.install
U    sites/all/modules/webform/webform_submissions.inc
U    sites/all/modules/webform/THEMING.txt
A    sites/all/modules/webform/webform_export.inc
U    sites/all/modules/webform/po/da.po
A    sites/all/modules/webform/po/cs.po
U    sites/all/modules/webform/po/webform.pot
U    sites/all/modules/webform/po/ru.po
U    sites/all/modules/webform/po/es.po
U    sites/all/modules/webform/po/fr.po
U    sites/all/modules/webform/po/de.po
U    sites/all/modules/webform/po/sv.po
U    sites/all/modules/webform/po/nl.po
U    sites/all/modules/webform/po/he.po
U    sites/all/modules/webform/po/hu.po
U    sites/all/modules/webform/po/it.po
A    sites/all/modules/webform/po/sk.po
U    sites/all/modules/webform/po/el.po
U    sites/all/modules/webform/webform_components.inc
 U   sites/all/modules/webform
U    sites/all/modules/contact_us/contact_us.module
 U   sites/all/modules/contact_us
Updated to revision 27163.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
Component: Server Operations: Web Operations → WebOps: Other
Product: mozilla.org → Infrastructure & Operations
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.