Author Topic: Security Upgrade for Webform CiviCRM Integration Module (Read 1043 times)

FatherShawn · November 10, 2011, 05:51:56 am

In case some don't subscribe to the Drupal Security List (Subscribe on your drupal.org user profile or use the rss feed):

Quote

* Advisory ID: DRUPAL-SA-CONTRIB-2011-055
* Project: Webform CiviCRM Integration [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2011-November-09
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass, SQL Injection

-------- DESCRIPTION
---------------------------------------------------------

The Webform CiviCRM Integration module extends the functionality of the
Webform Module [3] to link form submissions with a CiviCRM [4] database.
Version 2.0 of the module added form validation based on CiviCRM data type. A
flaw in the implementation of this feature caused other validation handlers
to fail, so the Webform would be able to be submitted even if required fields
were left blank, etc. Version 2.1 fixed this issue, but implemented
validation in such a way as to leave a possible opening for SQL injection.
Both issues are now fixed in version 2.2.

-------- VERSIONS AFFECTED
---------------------------------------------------

* Webform CiviCRM Integration prior to 6.x-2.2
* Webform CiviCRM Integration prior to 7.x-2.2

Drupal core is not affected. If you do not use the contributed Webform
CiviCRM Integration [5] module, there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

* If you use the module for Drupal 6.x, upgrade to Webform CiviCRM
Integration 6.x-2.2 [6]
* If you use the module for Drupal 7.x, upgrade to Webform CiviCRM
Integration 7.x-2.2 [7]

See also the Webform CiviCRM Integration [8] project page.

-------- REPORTED BY
---------------------------------------------------------

* Michał Mach [9]

-------- FIXED BY
------------------------------------------------------------

* Coleman Watts [10] the module maintainer

-------- COORDINATED BY
------------------------------------------------------

* Stéphane Corlosquet [11] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [12].

Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].

[1] http://drupal.org/project/webform_civicrm
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/webform
[4] http://civicrm.org
[5] http://drupal.org/project/webform_civicrm
[6] http://drupal.org/node/1336044
[7] http://drupal.org/node/1336046
[8] http://drupal.org/project/webform_civicrm
[9] http://drupal.org/user/765720
[10] http://drupal.org/user/639856
[11] http://drupal.org/user/52142
[12] http://drupal.org/contact
[13] http://drupal.org/security-team
[14] http://drupal.org/writing-secure-code
[15] http://drupal.org/security/secure-configuration

Coleman Watts · November 11, 2011, 10:37:31 am

Thanks for reposting this FatherShawn

CiviCRM Community Forums (archive)

News:

Author Topic: Security Upgrade for Webform CiviCRM Integration Module (Read 1043 times)

FatherShawn

Security Upgrade for Webform CiviCRM Integration Module

Coleman Watts

Re: Security Upgrade for Webform CiviCRM Integration Module