=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN111
_____________________________________________________________________

DATE                      : 04/04/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running WEBFORM for Drupal.

======================================================================
http://drupal.org/node/242053
______________________________________________________________________

- ------------SA-2008-024 - WEBFORM - CROSS SITE SCRIPTING------------

   * Advisory ID: DRUPAL-SA-2008-024

   * Project: Webform (third-party module)

   * Version: 5.x, 6.x

   * Date: 2008-April-03

   * Security risk: Less critical

   * Exploitable from: Remote

   * Vulnerability: Cross site scripting

- ------------DESCRIPTION------------

The contributed webform module provides a webform nodetype. Typical uses for
webform are to create questionnaires, contact or request/register forms,
surveys, polls or a front end to issues tracking systems.

On several points in the codebase, user-supplied data is not escaped 
before it
is displayed. This allows users to inject arbitrary HTML and scripts 
into pages,
which may lead to administrator access when certain conditions are met.

Wikipedia has more information about cross site scripting [
http://en.wikipedia.org/wiki/Xss ] (XSS).

- ------------VERSIONS AFFECTED------------

   * Webform for Drupal 5.x prior to 5.x-1.10

   * Webform for Drupal 5.x prior to 5.x-2.0-beta3

   * Webform for Drupal 6.x prior to 6.x-1.0-beta3

Drupal core is not affected. If you do not use the contributed Webform 
module,
there is nothing you need to do.

- ------------SOLUTION------------

Install the latest version:

   * If you use Drupal 5.x-1.x install Webform 5.x-1.10 [
http://drupal.org/node/242059 ].

   * If you use Drupal 5.x-2.x install Webform 5.x-2.0-beta3 [
http://drupal.org/node/242056 ].

   * If you use Drupal 6.x install Webform 6.x-1.0-beta3 [
http://drupal.org/node/242055 ].

See also the Webform project page [ http://drupal.org/project/webform ].

- ------------REPORTED BY------------

cwgordon7 [ http://drupal.org/user/157412 ] of the Drupal security team.

- ------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org 
or via
the form at [ http://drupal.org/contact ].


======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================