Webform - Moderately critical - Access bypass - SA-CONTRIB-2020-012

Project: WebformDate: 2020-May-06Security risk: Moderately critical 13∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: This module enables you to build forms and surveys in Drupal.
The module doesn't sufficiently validate data submitted into Webform Signature element during webform submission creation. This allows a malicious user to generate and extract HMAC hashes for arbitrary data. Such HMAC hashes are used across multiple spots in Drupal 8 core and contrib modules.
An extracted HMAC hash could be used to view restricted site content or log in as another user in certain situations.
This vulnerability is mitigated by the fact that an attacker must be able to create a webform submission with "Signature" element and then be able to view the submission.
For Drupal instances that have "Signature" webform element available to users with low trust, it is advised to change the value of the hash salt within settings.php file to a new random value. Below we reference the specific extract from settings.php that is advised for change in such Drupal instances:
* Salt for one-time login links, cancel links, form tokens, etc.
* This variable will be set to a random value by the installer. All one-time
* login links will be invalidated if the value is changed. Note that if your
* site is deployed on a cluster of web servers, you must ensure that this
* variable has the same value on each server.
* For enhanced security, you may set this variable to the contents of a file
* outside your document root; you should also ensure that this file is not
* stored with backups of your database.
* Example:
* @code
* $settings['hash_salt'] = file_get_contents('/home/example/salt.txt');
* @endcode
$settings['hash_salt'] = 'new-value-here';

Solution: Install the latest version:

Also see the Webform project page.Reported By: 

  • Heine of the Drupal Security Team

Fixed By: 

Coordinated By: 

Path to article https://www.drupal.org/sa-contrib-2020-012