• Advisory ID: DRUPAL-SA-CONTRIB-2011-001
  • Project: Webform (third-party module)
  • Version: 6.x
  • Date: 2011-January-10
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: SQL Injection


The contributed webform module provides a webform nodetype. Typical uses for webform are to create questionnaires, contact or request/register forms, surveys, polls or a front end to issues tracking systems.

The module does not properly use the database API, leading to an SQL Injection vulnerability that can easily lead to a malicious user gaining full administrative access.

No permissions are required to exploit this issue. The vulnerability is exploited in the wild.

Versions affected

  • Webform module 6.x-3.x versions prior to 6.x-3.5

Note: The 6.x-2.x branch of Webform is not affected by this vulnerability. Sites using Webform 6.x-2.8, 6.x-2.9, 6.x-2.10 do not need to upgrade for security reasons.

Drupal core is not affected. If you do not use the contributed webform module, there is nothing you need to do.


Install the latest version:

See also the Webform project page.

Reported by

The vulnerability was reported publicly.

Fixed by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Learn more about the team and their policies, writing secure code for Drupal, and secure configuration of your site.