Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2021-March-03
Vulnerability:
Access bypass
Affected versions:
<5.25.0 || 6.0.0 || 6.0.1
Description:
The Webform module for Drupal 8/9 includes a default Contact webform, which sends a notification email to the site owner and a confirmation email to the email address supplied via the form.
The confirmation email can be used as an open mail relay to send an email to any email address.
This vulnerability is mitigated by the fact that the site owner's email address is also receiving a notification email, which should alert the site owner to the exploitation. If the site owner's mailbox is not monitored, the open mail relay can be more easily exploited.
With the Webform module's latest release, the default Contact's confirmation email will only be sent to an authenticated user's email address. Anonymous users will no longer receive a confirmation email.
If anonymous users need to receive a confirmation email, we recommend you add SPAM protection to the form and update the email handler.
Solution:
Install the latest version:
- If you use the Webform module module for Drupal 8/9 upgrade to Webform 8.x-5.25 or Webform 6.0.2
If you are using a previous release of the Webform module you can immediately do one of several options.
- Delete the default Contact form. (/form/contact)
- Delete the default Contact form's confirmation email handler.(/admin/structure/webform/manage/contact/handlers)
- Update the default Contact form's confirmation email to only email the current user's email address using the
[current-user:mail]token. (/admin/structure/webform/manage/contact/handlers/email_confirmation/edit) - Add SPAM protection to the default Contact form.
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
