- Advisory ID: DRUPAL-SA-CONTRIB-2009-074
- Project: Webform (third-party module)
- Version: 5.x, 6.x
- Date: 2009-October-14
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Multiple vulnerabilities
Description
Cross-site scripting
The Webform module enables the creation of custom forms for collecting data from users. The Webform module does not properly escape field labels in certain situations. A malicious user with permission to create webforms could attempt a cross-site scripting (XSS) attack when viewing the result, leading to the user gaining full administrative access.
Session data disclosure
The Webform module fails to prevent the page from being cached when a default value uses token placeholders. This leads to disclosure of session variables to anonymous users when caching is enabled.
Versions affected
- Webform for Drupal 6.x prior to 6.x-2.8
- Webform for Drupal 5.x prior to 5.x-2.8
Drupal core is not affected. If you do not use the contributed Webform module, there is nothing you need to do.
Solution
Upgrade to the latest version:
- If you use Webform for Drupal 6.x upgrade to Webform 6.x-2.8
- If you use Webform for Drupal 5.x upgrade to Webform 5.x-2.8
See also the Webform project page.
Reported by
The XSS issue was reported by Justine Klein Keane.
The session disclosure issue was reported by seattlehimay.
Fixed by
The XSS issue was fixed by Greg Knaddison of the Drupal Security Team.
The session disclosure issue was fixed by Nathan Haug, the module maintainer.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.