Voting starts in March for the Drupal Association Board election.
- Advisory ID: DRUPAL-SA-CONTRIB-2011-001
- Project: Webform (third-party module)
- Version: 6.x
- Date: 2011-January-10
- Security risk: Highly critical
- Exploitable from: Remote
- Vulnerability: SQL Injection
The contributed webform module provides a webform nodetype. Typical uses for webform are to create questionnaires, contact or request/register forms, surveys, polls or a front end to issues tracking systems.
The module does not properly use the database API, leading to an SQL Injection vulnerability that can easily lead to a malicious user gaining full administrative access.
No permissions are required to exploit this issue. The vulnerability is exploited in the wild.
- Webform module 6.x-3.x versions prior to 6.x-3.5
Note: The 6.x-2.x branch of Webform is not affected by this vulnerability. Sites using Webform 6.x-2.8, 6.x-2.9, 6.x-2.10 do not need to upgrade for security reasons.
Drupal core is not affected. If you do not use the contributed webform module, there is nothing you need to do.
Install the latest version:
- If you use the Webform module for Drupal 6.x upgrade to Webform 6.x-3.5
See also the Webform project page.
The vulnerability was reported publicly.
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Learn more about the team and their policies, writing secure code for Drupal, and secure configuration of your site.