This module has an access bypass vulnerability.

You can see this vulnerability by:

1. Enabling the module
2. Create a new webform report and leave "promote to front page" checked
3. Submissions from that webform can now be viewed at /rss.xml even if the frontpage view is disabled and the user doesn't have "Access Webform Reports" permission (i.e. anonymous uses can view it)
4. If the webform contains user submitted names, phone, email, etc it's now viewable and indexable by search engines

It appears this is due to there being no access checks in hook_view().

Originally reported by jphelan.

Comments

dsnopek created an issue. See original summary.

dsnopek’s picture

Priority: Normal » Critical
Issue tags: +Security
origami’s picture

I'm not able to reproduce the issue. I use this module and I want to make sure it's secure but I'm not seeing any webform submitted data in rss.xml. Are there any other steps or settings?