===================================================================== CERT-Renater Note d'Information No. 2011/VULN261 _____________________________________________________________________ DATE : 25/03/2011 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Webform Block for DRUPAL. ====================================================================== http://drupal.org/node/1103122 ______________________________________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2011-014 * Project: Webform Block (third-party module) * Version: 6.x * Date: 2011-March-23 * Security risk: Moderately critical (definition of risk levels) [1] * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION --------------------------------------------------------- The Webform Block module enables users to make a webform available as a block. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [2]) vulnerability that may lead to a malicious user gaining full administrative access. The vulnerability is mitigated by the fact that a malicious user must be assigned a role that includes permission to create and/or edit webforms. - -------- VERSIONS AFFECTED --------------------------------------------------- * Webform Block module for Drupal 6.x versions prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed Webform Block [3] module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Webform Block module for Drupal 6.x upgrade to Webform Block 6.x-1.2 [4] See also the Webform Block project page [5]. - -------- REPORTED BY --------------------------------------------------------- * Dylan Wilder-Tack (grendzy [6]) of the Drupal security team - -------- FIXED BY ------------------------------------------------------------ * Dylan Wilder-Tack (grendzy [7]) of the Drupal security team * Mike Carter (budda [8]), module maintainer - -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact. Learn more about the team and their policies [9], writing secure code for Drupal [10], and secure configuration [11] of your site. [1] http://drupal.org/security-team/risk-levels [2] http://en.wikipedia.org/wiki/Cross-site_scripting [3] http://drupal.org/project/webformblock [4] http://drupal.org/node/1101996 [5] http://drupal.org/project/webformblock [6] http://drupal.org/user/96647 [7] http://drupal.org/user/96647 [8] http://drupal.org/user/13164 [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================