- Advisory ID: DRUPAL-SA-CONTRIB-2011-055
- Project: Webform CiviCRM Integration (third-party module)
- Version: 6.x, 7.x
- Date: 2011-November-09
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Access bypass, SQL Injection
Description
The Webform CiviCRM Integration module extends the functionality of the Webform Module to link form submissions with a CiviCRM database. Version 2.0 of the module added form validation based on CiviCRM data type. A flaw in the implementation of this feature caused other validation handlers to fail, so the Webform would be able to be submitted even if required fields were left blank, etc. Version 2.1 fixed this issue, but implemented validation in such a way as to leave a possible opening for SQL injection. Both issues are now fixed in version 2.2.
Versions affected
- Webform CiviCRM Integration prior to 6.x-2.2
- Webform CiviCRM Integration prior to 7.x-2.2
Drupal core is not affected. If you do not use the contributed Webform CiviCRM Integration module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the module for Drupal 6.x, upgrade to Webform CiviCRM Integration 6.x-2.2
- If you use the module for Drupal 7.x, upgrade to Webform CiviCRM Integration 7.x-2.2
See also the Webform CiviCRM Integration project page.
Reported by
Fixed by
- Coleman Watts the module maintainer
Coordinated by
- Stéphane Corlosquet of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.