[IT-SecNots] [Security-news] SA-CONTRIB-2011-055 - Webform CiviCRM Integration - Multiple vulnerabilities

[security-news AT drupal.org]

  * Advisory ID: DRUPAL-SA-CONTRIB-2011-055
  * Project: Webform CiviCRM Integration [1] (third-party module)
  * Version: 6.x, 7.x
  * Date: 2011-November-09
  * Security risk: Moderately critical [2]
  * Exploitable from: Remote
  * Vulnerability: Access bypass, SQL Injection

-------- DESCRIPTION  
---------------------------------------------------------

The Webform CiviCRM Integration module extends the functionality of the
Webform Module [3] to link form submissions with a CiviCRM [4] database.
Version 2.0 of the module added form validation based on CiviCRM data type. A
flaw in the implementation of this feature caused other validation handlers
to fail, so the Webform would be able to be submitted even if required fields
were left blank, etc. Version 2.1 fixed this issue, but implemented
validation in such a way as to leave a possible opening for SQL injection.
Both issues are now fixed in version 2.2.

-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Webform CiviCRM Integration prior to 6.x-2.2
  * Webform CiviCRM Integration prior to 7.x-2.2

Drupal core is not affected. If you do not use the contributed Webform
CiviCRM Integration [5] module, there is nothing you need to do.

-------- SOLUTION  
------------------------------------------------------------

Install the latest version:

  * If you use the module for Drupal 6.x, upgrade to Webform CiviCRM
    Integration 6.x-2.2 [6]
  * If you use the module for Drupal 7.x, upgrade to Webform CiviCRM
    Integration 7.x-2.2 [7]

See also the Webform CiviCRM Integration [8] project page.

-------- REPORTED BY  
---------------------------------------------------------

  * Michał Mach [9]

-------- FIXED BY  
------------------------------------------------------------

  * Coleman Watts [10] the module maintainer

-------- COORDINATED BY  
------------------------------------------------------

  * Stéphane Corlosquet [11] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION  
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [12].

Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].


[1] http://drupal.org/project/webform_civicrm
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/webform
[4] http://civicrm.org
[5] http://drupal.org/project/webform_civicrm
[6] http://drupal.org/node/1336044
[7] http://drupal.org/node/1336046
[8] http://drupal.org/project/webform_civicrm
[9] http://drupal.org/user/765720
[10] http://drupal.org/user/639856
[11] http://drupal.org/user/52142
[12] http://drupal.org/contact
[13] http://drupal.org/security-team
[14] http://drupal.org/writing-secure-code
[15] http://drupal.org/security/secure-configuration

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news