SA-CONTRIB-2015-063 – Webform – Cross Site Scripting (XSS)

Advisory ID: DRUPAL-SA-CONTRIB-2015-063
Project: Webform (third-party module)
Version: 6.x, 7.x
Date: 2015-March-04
Security risk: 13/25 ( Moderately Critical) AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability: Cross Site Scripting

Description

Webform enables you to create surveys, personalized contact forms, contests, and the like.

Cross Site Scripting Related to Webform Submissions

The module doesn’t sufficiently escape user data presented to administrative users in the webform results table. This issue affects the 7.x-4.x branch only.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to submit a webform and the administrative user must subsequently visit the webform’s results table tab.

To mitigate this vulnerability, you can disable the view-based results table and restore the legacy hard-coded results table by adding this line to your settings.php file:

<?php
 $conf['webform_table'] = TRUE; 
?>

Cross Site Scripting Related to Blocks

The module doesn’t sufficiently escape node titles of webforms which administrators may make available as blocks and displayed to any user. This issue affects all 6.x and 7.x branches of the module.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to administer blocks and create or edit webform nodes.

CVE identifier(s) issued

A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.

Versions affected

webform 6.x versions prior to 6.x-3.22.
webform 7.x-3.x versions prior to 7.x-3.22.
webform 7.x-4.x versions prior to 7.x-4.4.

Drupal core is not affected. If you do not use the contributed Webform module,
there is nothing you need to do.

Solution

Install the latest version:

If you use the webform module for Drupal 6.x, upgrade to webform 6.x-3.22
If you use the webform module for Drupal 7.x, upgrade to webform 7.x-3.22 or webform 7.x-4.4

Also see the Webform project page.

Reported by

Dan Chadwick, the module maintainer

Fixed by

Dan Chadwick, the module maintainer

Coordinated by

Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version:

Drupal 6.x

Drupal 7.x

007 Software