Open source software security

Drupal Webform 6.x-2.7 and 5.x-2.7 XSS Vulnerabilities

30 November -0001

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Webform module (http://drupal.org/project/webform) "adds a webform nodetype to your Drupal site. Typical uses for Webform are questionnaires, contact or request/register forms, surveys, polls or a front end to issues tracking systems."

The Webform module contains a cross site scripting vulnerability because it does not properly sanitize output of webform component names before display.

Systems affected:

Drupal 6.13 with Webform 6.x-2.7 and Drupal 5.13 with Webform 5.x-2.7 were tested and shown to be vulnerable.

Impact:

XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise.

Mitigating factors:

The Webform module must be installed. To carry out a Webform based XSS exploit against the module the attacker must be able to inject malicious content into webforms which requires the 'create webforms' permission.

Proof of Concept:

  1. Install Drupal 6.13 and Webform module
  2. Enable the module through Administer -> Modules
  3. Create a new webform by clicking Create content -> Webform
  4. Fill in 'Test' for the Title and click 'Submit' to save the new form
  5. In the resulting 'Form components table' fill in "<script>alert('xss');</script>" in the 'Name' for a new textfield component then click add.
  6. Click the 'Submit' button
  7. Click the 'Results' tab then the 'Analysis' sub-tab to view the 'xss' JavaScript alert.

Drupal 6 Technical details:

The Webform module fails to sanitize the output of the component name of the Webform on line 484 of webform/webform_report.inc before display. Applying the patch below fixes this vulnerability.

Patch for Drupal 6

Applying the following patch mitigates these threats.

diff -up webform/webform_report.inc webform_fixed/webform_report.inc
--- webform/webform_report.inc  2009-03-04 00:05:12.000000000 -0500
+++ webform_fixed/webform_report.inc    2009-08-25 12:27:14.496322592 -0400
@@ -481,7 +481,7 @@ function webform_results_analysis($node,
       $crows = $analysis_function($component, $sids);
       if (is_array($crows)) {
         $row[0] = array('data' => '<strong>'. $question_number .'</strong>', 'rowspan' => count($crows) + 1, 'valign' => 'top');
-        $row[1] = array('data' => '<strong>'. $component['name'] .'</strong>', 'colspan' => '10');
+        $row[1] = array('data' => '<strong>'.
check_plain($component['name']) .'</strong>', 'colspan' => '10');
         $rows = array_merge($rows, array_merge(array($row), $crows));
       }
     }

Drupal 5 Technical details:

The Webform module fails to sanitize the output of the component name of the Webform on line 481 of webform/webform_report.inc before display. Applying the patch below fixes this vulnerability.

Patch for Drupal 5

Applying the following patch mitigates these threats.

--- webform_report.inc  2009-03-04 00:05:18.000000000 -0500
+++ webform_report.inc.fixed    2009-08-25 12:58:53.284318098 -0400
@@ -478,7 +478,7 @@ function webform_results_analysis($node,
       $crows = $analysis_function($component, $sids);
       if (is_array($crows)) {
         $row[0] = array('data' => '<strong>'. $question_number
.'</strong>', 'rowspan' => count($crows) + 1, 'valign' => 'top');
-        $row[1] = array('data' => '<strong>'. $component['name'] .'</strong>', 'colspan' => '10');
+        $row[1] = array('data' => '<strong>'.
check_plain($component['name']) .'</strong>', 'colspan' => '10');
         $rows = array_merge($rows, array_merge(array($row), $crows));
       }
     }

Vendor Response

Upgrade to the latest version of the Webform module (http://drupal.org/node/604942).