View online: http://drupal.org/node/1834868 * Advisory ID: DRUPAL-SA-CONTRIB-2012-161 * Project: Webform CiviCRM Integration [1] (third-party module) * Version: 7.x * Date: 2012-November-07 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Webform CiviCRM integration allows you to expose contact data via Webforms. Depending on what fields you have exposed in your form, this may include personal information such as birthdate, phone number, email address, etc. Proper permission settings are important to keep this information from prying eyes. Each "existing contact" on a webform has a setting to enforce CiviCRM permissions -- this setting should rarely be disabled, and only done so by admins who know what they're doing. Unfortunately some circumstances may have led this setting to be incorrectly disabled by the admin: * In version 3.0 - 3.1 of this module, "Enforce Permissions" was not on by default, and needed to be manually selected by the admin. This was fixed in 3.2. * In versions 3.0 - 3.2, the current user could not be autofilled for normal unprivledged users. This may have led some admins to disable the "Enforce Permissions" setting, a dangerous workaround. * In versions 3.0 - 3.3, autofilling a contact via the url with a checksum did not work for anonymous users unless the "Enforce Permissions" setting was disabled. Version 3.4 includes an update script which will automatically set "Enforce Permissions" for all existing contacts to /true/. Once you have upgraded, you may wish to review your webforms and ensure that autofilling contacts works as expected, especially for anonymous users. In a few rare cases where you have established access control through some other means, disabling "Enforce Permissions" may be necessary and you will need to do so manually. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Webform CiviCRM Integration 7.x-3.0 to 7.x-3.3 Drupal core is not affected. If you do not use the contributed Webform CiviCRM Integration [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Webform CiviCRM Integration version 3.x, upgrade to version 3.4 [4] Also see the Webform CiviCRM Integration [5] project page. -------- REPORTED BY --------------------------------------------------------- * Coleman Watts [6] the module maintainer -------- FIXED BY ------------------------------------------------------------ * Coleman Watts [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/webform_civicrm [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/webform_civicrm [4] http://drupal.org/node/1833974 [5] http://drupal.org/project/webform_civicrm [6] http://drupal.org/user/639856 [7] http://drupal.org/user/639856 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration _______________________________________________ Security-news mailing list Security-news@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news