Drupal 8: Multiple critical and moderately critical security advisories for Webform module

Drupal Security team has released multiple critical and moderately critical security advisories for Webform module today. This module enables you to build forms and surveys in Drupal.

Webform - Critical - Remote Code Execution - SA-CONTRIB-2020-011

Project: Webform
Date: 2020-May-06
Security risk: Critical 17∕25 
Vulnerability: Remote Code Execution

Description

The module doesn't sufficiently filter webform element properties (attributes) under the scenario of editing a webform. Malicious user could craft such an attribute (#element_validate, for example) that would invoke execution of undesired PHP code.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Edit own webform" (or "Edit any webform").

Webform - Moderately critical - Access bypass - SA-CONTRIB-2020-012

Project: Webform
Date: 2020-May-06
Security risk: Moderately critical 13∕25 
Vulnerability: Access bypass

Description

The module doesn't sufficiently validate data submitted into Webform Signature element during webform submission creation. This allows a malicious user to generate and extract HMAC hashes for arbitrary data. Such HMAC hashes are used across multiple spots in Drupal 8 core and contributed modules.

An extracted HMAC hash could be used to view restricted site content or log in as another user in certain situations.

This vulnerability is mitigated by the fact that an attacker must be able to create a webform submission with "Signature" element and then be able to view the submission.

For Drupal instances that have "Signature" webform element available to users with low trust, it is advised to change the value of the hash salt within settings.php file to a new random value. Below we reference the specific extract from settings.php that is advised for change in such Drupal instances:

/**
 * Salt for one-time login links, cancel links, form tokens, etc.
 *
 * This variable will be set to a random value by the installer. All one-time
 * login links will be invalidated if the value is changed. Note that if your
 * site is deployed on a cluster of web servers, you must ensure that this
 * variable has the same value on each server.
 *
 * For enhanced security, you may set this variable to the contents of a file
 * outside your document root; you should also ensure that this file is not
 * stored with backups of your database.
 *
 * Example:
 * @code
 *   $settings['hash_salt'] = file_get_contents('/home/example/salt.txt');
 * @endcode
 */
$settings['hash_salt'] = 'new-value-here';

Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-013

Project: Webform
Date: 2020-May-06
Security risk: Moderately critical 13∕25 
Vulnerability: Cross site scripting

Description

The module doesn't sufficiently prevent malicious code from being render via an options elements (i.e select menu, checkboxes, radios, etc...) under the scenario where the site builder allows the raw option value to be displayed.

This vulnerability is mitigated by the fact that site builder must be allowed to build webform and select raw as the options element's submission display.

Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-014

Project: Webform
Date: 2020-May-06
Security risk: Moderately critical 13∕25 
Vulnerability: Cross site scripting

Description

The module doesn't sufficiently filter user input under in the scenario when a webform is edited, namely the message related to character min/max counter does not undergo sufficient filtering and thus allows execution of JavaScript code through it.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Edit own webform" (or "Edit any webform").

Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-015

Project: Webform
Date: 2020-May-06
Security risk: Moderately critical 14∕25 
Vulnerability: Cross site scripting

Description

The module doesn't sufficiently sanitize Webform labels nor visibility conditions under the scenario of placing a block. When a webform block is placed and visible on a website any JavaScript code contained within the webform's label was executed.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Edit own webform" (or "Edit any webform").

Webform - Critical - Access bypass - SA-CONTRIB-2020-016

Project: Webform
Date: 2020-May-06
Security risk: Critical 15∕25 
Vulnerability: Access bypass

Description

This webform module enables you to build 'Term select' and 'Term checkboxes' elements.

The module doesn't sufficiently check term 'view' access when rendering the 'Term select' and 'Term checkboxes' elements. Unpublished terms will always appear in the 'Term select' and 'Term checkboxes' elements.

Webform - Moderately critical - Access bypass - SA-CONTRIB-2020-017

Project: Webform
Date: 2020-May-06
Security risk: Moderately critical 11∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon
Vulnerability: Access bypass

Description

The Webform Node sub-module allows these forms to be associated with a Drupal node. The Webform Node module does not implement access checking in the same manner as other nodes and entities. As such, writers of custom modules which implement webform_node, node, or entity access checks may not achieve the intended access results for Webform Node content.

There is no known exploit of this vulnerability and the vulnerability only exists on sites with custom code and a node access module in use.

Solution to all above security advisories

Install the latest version. If you use the Webform module for Drupal 8, upgrade to Webform 8.x-5.11
Also see the Webform project page.