The Webform module 5.x before 5.x-2.8 and 6.x before 6.x-2.8, a module for Drupal, does not prevent caching of a page that contains token placeholders for a default value, which allows remote attackers to read session variables via unspecified vectors.
Drupal's Webform module is vulnerable to a session variable disclosure attack. Attackers can leverage this flaw to read sensitive user data, potentially leading to account compromise and data breaches by exploiting cached pages containing token placeholders for default values.
Step 1: Webform Creation: An administrator creates a webform with elements that utilize token placeholders for default values. These placeholders are designed to dynamically populate with user-specific information.
Step 2: Page Caching: The vulnerable Webform module caches the page containing the webform and its token placeholders. The caching mechanism does not properly personalize the cached content.
Step 3: Attacker Request: An attacker requests the cached page. The attacker may or may not be authenticated.
Step 4: Data Retrieval: The attacker receives the cached page, which contains the token placeholders that have been populated with session-specific data from the original user who first accessed the page. This data could include user IDs, email addresses, or other sensitive information.
Step 5: Information Disclosure: The attacker successfully extracts the sensitive information embedded within the cached page, leading to a potential data breach or account compromise.
The vulnerability stems from a caching issue within the Webform module. Specifically, the module fails to properly handle token placeholders used for default values within webform elements. When a page containing these placeholders is cached, the placeholders are not replaced with user-specific data before caching. This allows an attacker to retrieve the cached page, which then reveals session-specific information, such as user IDs or other sensitive data, that should not be publicly accessible. The root cause is a lack of proper sanitization and personalization of cached content, leading to the exposure of sensitive session data. The flaw lies in the module's caching mechanism and its failure to account for dynamic, user-specific data within the cached content. The module does not adequately distinguish between content that can be safely cached and content that requires user-specific rendering.