====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN259
_____________________________________________________________________

DATE                : 07/05/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Webform versions prior to 8.x-5.11.

=====================================================================
https://www.drupal.org/sa-contrib-2020-017
https://www.drupal.org/sa-contrib-2020-016
https://www.drupal.org/sa-contrib-2020-015
https://www.drupal.org/sa-contrib-2020-014
https://www.drupal.org/sa-contrib-2020-013
https://www.drupal.org/sa-contrib-2020-012
https://www.drupal.org/sa-contrib-2020-011
_____________________________________________________________________

Webform - Moderately critical - Access bypass - SA-CONTRIB-2020-017

Project: Webform
Date: 2020-May-06
Security risk:
Moderately critical 11∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon
Vulnerability: Access bypass


Description:

This module enables you to build forms and surveys in Drupal.

The Webform Node sub-module allows these forms to be associated with a
Drupal node. The Webform Node module does not implement access checking
in the same manner as other nodes and entities. As such, writers of
custom modules which implement webform_node, node, or entity access
checks may not achieve the intended access results for Webform Node
content.

There is no known exploit of this vulnerability and the vulnerability
only exists on sites with custom code and a node access module in use.


Solution:

Install the latest version:

    If you use the Webform module for Drupal 8, upgrade to Webform 8.x-5.11

Also see the Webform project page.


Reported By:

    Dan Chadwick

Fixed By:

    Dan Chadwick
    Jacob Rockowitz
    Liam Morland

Coordinated By:

    Greg Knaddison of the Drupal Security Team

_____________________________________________________________________

Webform - Critical - Access bypass - SA-CONTRIB-2020-016

Project: Webform
Date: 2020-May-06
Security risk:
Critical 15∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All
Vulnerability: Access bypass


Description:

This webform module enables you to build 'Term select' and 'Term
checkboxes' elements.

The module doesn't sufficiently check term 'view' access when rendering
the 'Term select' and 'Term checkboxes' elements. Unpublished terms will
always appear in the 'Term select' and 'Term checkboxes' elements.


Solution:

Install the latest version:

    If you use the Webform module for Drupal 8, upgrade to Webform
8.x-5.11

Also see the Webform project page.


Reported By:

    James Gilliland of the Drupal Security Team

Fixed By:

    Jacob Rockowitz

Coordinated By:

    Greg Knaddison of the Drupal Security Team


_____________________________________________________________________

Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-015

Project: Webform
Date: 2020-May-06
Security risk:
Moderately critical 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability: Cross site scripting


Description:

This module enables you to build forms and surveys in Drupal.

The module doesn't sufficiently sanitize Webform labels nor visibility
conditions under the scenario of placing a block. When a webform block
is placed and visible on a website any JavaScript code contained within
the webform's label was executed.

This vulnerability is mitigated by the fact that an attacker must have a
role with the permission "Edit own webform" (or "Edit any webform").


Solution:

Install the latest version:

    If you use the Webform module for Drupal 8, upgrade to Webform
8.x-5.11

Also see the Webform project page.


Reported By:

    Ide Braakman

Fixed By:

    bucefal91
    Jacob Rockowitz

Coordinated By:

    Greg Knaddison of the Drupal Security Team

_____________________________________________________________________

Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-014

Project: Webform
Date: 2020-May-06
Security risk:
Moderately critical 13∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability: Cross site scripting


Description:

This module enables you to build forms and surveys in Drupal.

The module doesn't sufficiently filter user input under in the scenario
when a webform is edited, namely the message related to character
min/max counter does not undergo sufficient filtering and thus allows
execution of JavaScript code through it.

This vulnerability is mitigated by the fact that an attacker must have a
role with the permission "Edit own webform" (or "Edit any webform").


Solution:

Install the latest version:

    If you use the Webform module for Drupal 8, upgrade to Webform
8.x-5.11

Also see the Webform project page.


Reported By:

    Krzysztof Domański

Fixed By:

    Krzysztof Domański
    Lee Rowlands of the Drupal Security Team
    Jacob Rockowitz
    bucefal91

Coordinated By:

    Greg Knaddison of the Drupal Security Team

_____________________________________________________________________

Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-013

Project: Webform
Date: 2020-May-06
Security risk:
Moderately critical 13∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability: Cross site scripting


Description:

The Webform module allows site builders to create forms.

The module doesn't sufficiently prevent malicious code from being render
via an options elements (i.e select menu, checkboxes, radios, etc...)
under the scenario where the site builder allows the raw option value to
be displayed.

This vulnerability is mitigated by the fact that site builder must be
allowed to build webform and select raw as the options element's
submission display.


Solution:

Install the latest version:

    If you use the Webform module for Drupal 8, upgrade to Webform
8.x-5.11

Also see the Webform project page.


Reported By:

    Dan Chadwick

Fixed By:

    Jacob Rockowitz
    Dan Chadwick

Coordinated By:

    Greg Knaddison of the Drupal Security Team


_____________________________________________________________________

Webform - Moderately critical - Access bypass - SA-CONTRIB-2020-012

Project: Webform
Date: 2020-May-06
Security risk:
Moderately critical 13∕25
AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon
Vulnerability: Access bypass


Description:

This module enables you to build forms and surveys in Drupal.

The module doesn't sufficiently validate data submitted into Webform
Signature element during webform submission creation. This allows a
malicious user to generate and extract HMAC hashes for arbitrary data.
Such HMAC hashes are used across multiple spots in Drupal 8 core and
contrib modules.

An extracted HMAC hash could be used to view restricted site content or
log in as another user in certain situations.

This vulnerability is mitigated by the fact that an attacker must be
able to create a webform submission with "Signature" element and then be
able to view the submission.

For Drupal instances that have "Signature" webform element available to
users with low trust, it is advised to change the value of the hash salt
within settings.php file to a new random value. Below we reference the
specific extract from settings.php that is advised for change in such
Drupal instances:

/**
 * Salt for one-time login links, cancel links, form tokens, etc.
 *
 * This variable will be set to a random value by the installer. All
   one-time
 * login links will be invalidated if the value is changed. Note that if
   your
 * site is deployed on a cluster of web servers, you must ensure that
   this
 * variable has the same value on each server.
 *
 * For enhanced security, you may set this variable to the contents of a
   file
 * outside your document root; you should also ensure that this file is
   not
 * stored with backups of your database.
 *
 * Example:
 * @code
 *   $settings['hash_salt'] = file_get_contents('/home/example/salt.txt');
 * @endcode
 */
$settings['hash_salt'] = 'new-value-here';

Solution:

Install the latest version:

    If you use the Webform module for Drupal 8, upgrade to Webform 8.x-5.11

Also see the Webform project page.


Reported By:

    Heine of the Drupal Security Team

Fixed By:

    Jacob Rockowitz

Coordinated By:

    Greg Knaddison of the Drupal Security Team


_____________________________________________________________________

Webform - Critical - Remote Code Execution - SA-CONTRIB-2020-011

Project: Webform
Date: 2020-May-06
Security risk:
Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:All
Vulnerability: Remote Code Execution


Description:

This module enables you to build forms and surveys in Drupal.

The module doesn't sufficiently filter webform element properties
(attributes) under the scenario of editing a webform. Malicious user
could craft such an attribute (#element_validate, for example) that
would invoke execution of undesired PHP code.

This vulnerability is mitigated by the fact that an attacker must have a
role with the permission "Edit own webform" (or "Edit any webform").


Solution:

Install the latest version:

    If you use the Webform module for Drupal 8, upgrade to Webform
8.x-5.11

Also see the Webform project page.


Reported By:

    Jacob Rockowitz

Fixed By:

    Jacob Rockowitz
    Heine of the Drupal Security Team
    bucefal91

Coordinated By:

    Greg Knaddison of the Drupal Security Team



=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================