=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2011/VULN028
_____________________________________________________________________

DATE                      : 14/01/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Webform for DRUPAL 6.x-3.x versions prior to 6.x-3.5.


======================================================================
http://drupal.org/node/1021210
______________________________________________________________________

SA-CONTRIB-2011-001 - Webform - SQL Injection
Posted by Drupal Security Team on January 10, 2011 at 10:14am

    * Advisory ID: DRUPAL-SA-CONTRIB-2011-001
    * Project: Webform (third-party module)
    * Version: 6.x
    * Date: 2011-January-10
    * Security risk: Highly critical
    * Exploitable from: Remote
    * Vulnerability: SQL Injection

Description

The contributed webform module provides a webform nodetype. Typical
uses for webform are to create questionnaires, contact or request/register
forms, surveys, polls or a front end to issues tracking systems.

The module does not properly use the database API, leading to an
SQL Injection vulnerability that can easily lead to a malicious user
gaining full administrative access.

No permissions are required to exploit this issue. The vulnerability
is exploited in the wild.

Versions affected

    * Webform module 6.x-3.x versions prior to 6.x-3.5

Note: The 6.x-2.x branch of Webform is not affected by this
vulnerability. Sites using Webform 6.x-2.8, 6.x-2.9, 6.x-2.10 do not
need to upgrade for security reasons.

Drupal core is not affected. If you do not use the contributed
webform module, there is nothing you need to do.

Solution

Install the latest version:

    * If you use the Webform module for Drupal 6.x upgrade
to Webform 6.x-3.5

See also the Webform project page.


Reported by

The vulnerability was reported publicly.


Fixed by

    * Nathan Haug (quicksketch)

Contact and More Information

The Drupal security team can be reached at security at
drupal.org or via the form at http://drupal.org/contact.
Learn more about the team and their policies, writing secure
code for Drupal, and secure configuration of your site.


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================