- Advisory ID: DRUPAL-SA-CONTRIB-2011-001
- Project: Webform (third-party module)
- Version: 6.x
- Date: 2011-January-10
- Security risk: Highly critical
- Exploitable from: Remote
- Vulnerability: SQL Injection
Description
The contributed webform module provides a webform nodetype. Typical uses for webform are to create questionnaires, contact or request/register forms, surveys, polls or a front end to issues tracking systems.
The module does not properly use the database API, leading to an SQL Injection vulnerability that can easily lead to a malicious user gaining full administrative access.
No permissions are required to exploit this issue. The vulnerability is exploited in the wild.
Versions affected
- Webform module 6.x-3.x versions prior to 6.x-3.5
Note: The 6.x-2.x branch of Webform is not affected by this vulnerability. Sites using Webform 6.x-2.8, 6.x-2.9, 6.x-2.10 do not need to upgrade for security reasons.
Drupal core is not affected. If you do not use the contributed webform module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Webform module for Drupal 6.x upgrade to Webform 6.x-3.5
See also the Webform project page.
Reported by
The vulnerability was reported publicly.
Fixed by
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Learn more about the team and their policies, writing secure code for Drupal, and secure configuration of your site.