Closed Bug 508650 Opened 16 years ago Closed 16 years ago

Remove webform module

Categories

(quality.mozilla.org :: Website, defect)

Product:
quality.mozilla.org
Component:
Website
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: abuchanan, Unassigned)

References

(
URL
)

Details

A Drupal SA recommends we remove the webform module, as they won't be fixing the security problem I guess. I've had paulc disable the module in the meantime. * Advisory ID: DRUPAL-SA-CONTRIB-2009-050 * Project: Webform report (third-party module) * Version: All * Date: 2009-Aug-5 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross site scripting -------- DESCRIPTION --------------------------------------------------------- Webform report [1] allows users to create simple, dynamic reports based on data collected by the webform module. When displaying the results of Webform submissions, the module does not properly escape user entered data, leading to a cross-site scripting [2] (XSS) vulnerability. -------- VERSIONS AFFECTED --------------------------------------------------- * Webform for Drupal 5.x * Webform for Drupal 6.x Drupal core is not affected. If you do not use the contributed webform report module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ There is no solution available. Please disable the module and remove it from your server. -------- REPORTED BY --------------------------------------------------------- Stéphane Corlosquet [3] -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/webform_report [2] http://en.wikipedia.org/wiki/Cross-site_scripting [3] http://drupal.org/user/52142
r48631 removes webform code r48632 tags for production this should go out with the next release. the module is disabled in the meantime. Sending production Deleting production/sites/all/modules/webform Committed revision 48632. Paulc checked, there are no webforms on qmo, so I don't think there is any data to be saved. Thanks.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Should we do a db backup? I would like to go through the uninstall process to clear up the db of the webform tables.
The DBs are regularly backed up by IT. Although, if there are no webforms on the site, there likely isn't any useful data to be saved.
Also uninstalled the module.
Paul, the "create" menu at the top of QMO has a link to creating a webform (which is not there anymore). It re-directs the user to the general Create content page. We'll need to remove that to close this bug.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
This was defined through Drupal's dynamic block + php interface (gross!) I removed the link from production and stage
Status: REOPENED → RESOLVED
Closed: 16 years ago16 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.