Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Heine on
- Advisory ID: DRUPAL-SA-2008-038
- Project: Services (third-party module)
- Versions: 5.x and 6.x
- Date: 2008-June-18
- Security risk: Highly critical
- Exploitable from: Remote
- Vulnerability: Arbitrary code execution
Description
The Services module package was created out of a need for a standardized solution to integrate external applications with Drupal. It builds on concepts from Drupal core's XMLRPC interface, but abstracts service callbacks so that they may be used with multiple interfaces such as XMLRPC, SOAP, REST, and AMF. This enables a Drupal site to provide web services via multiple interfaces while using the same callback code.
Unfortunately, the access control system is not sufficiently granular; Users with access to use a services have access to all provided services. With the provided node services, or the system services enabled, it allowed arbitrary code execution for those users.
Access to services can optionally be limited to certain ip addresses or configured to need an API key, somewhat mitigating the issue.
Versions Affected
- Versions of Services for Drupal 5.x prior to 5.x-0.9
- Versions of Services for Drupal 6.x prior to 6.x-0.9
If you do not use the Services module, there is nothing you need to do.
Solution
Install the latest version:
- If you use Services for Drupal 5.x upgrade to Services 5.x-0.9
- If you use Services for Drupal 6.x upgrade to Services 6.x-0.9
Review the new security features within the module, and upgrade all of your remote service calls to authenticate a user session ID before making any Service calls requiring secure communication.
See also the Services project page.
Reported by
Scott Nelson, Gerhard Killesreiter, Heine Deelstra.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
