- "details": "This module enables you to build forms and surveys in Drupal.\n\nThe module doesn't sufficiently validate data submitted into Webform Signature element during webform submission creation. This allows a malicious user to generate and extract HMAC hashes for arbitrary data. Such HMAC hashes are used across multiple spots in Drupal 8 core and contrib modules.\n\nAn extracted HMAC hash could be used to view restricted site content or log in as another user in certain situations.\n\nThis vulnerability is mitigated by the fact that an attacker must be able to create a webform submission with \"Signature\" element and then be able to view the submission.\n\nFor Drupal instances that have \"Signature\" webform element available to users with low trust, it is advised to change the value of the hash salt within `settings.php` file to a new random value. Below we reference the specific extract from `settings.php` that is advised for change in such Drupal instances:\n\n```\n/**\n * Salt for one-time login links, cancel links, form tokens, etc.\n *\n * This variable will be set to a random value by the installer. All one-time\n * login links will be invalidated if the value is changed. Note that if your\n * site is deployed on a cluster of web servers, you must ensure that this\n * variable has the same value on each server.\n *\n * For enhanced security, you may set this variable to the contents of a file\n * outside your document root; you should also ensure that this file is not\n * stored with backups of your database.\n *\n * Example:\n * @code\n * $settings['hash_salt'] = file_get_contents('/home/example/salt.txt');\n * @endcode\n */\n$settings['hash_salt'] = 'new-value-here';\n\n```",
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments