• Advisory ID: DRUPAL-SA-2008-038
  • Project: Services (third-party module)
  • Versions: 5.x and 6.x
  • Date: 2008-June-18
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Arbitrary code execution


The Services module package was created out of a need for a standardized solution to integrate external applications with Drupal. It builds on concepts from Drupal core's XMLRPC interface, but abstracts service callbacks so that they may be used with multiple interfaces such as XMLRPC, SOAP, REST, and AMF. This enables a Drupal site to provide web services via multiple interfaces while using the same callback code.

Unfortunately, the access control system is not sufficiently granular; Users with access to use a services have access to all provided services. With the provided node services, or the system services enabled, it allowed arbitrary code execution for those users.

Access to services can optionally be limited to certain ip addresses or configured to need an API key, somewhat mitigating the issue.

Versions Affected

  • Versions of Services for Drupal 5.x prior to 5.x-0.9
  • Versions of Services for Drupal 6.x prior to 6.x-0.9

If you do not use the Services module, there is nothing you need to do.


Install the latest version:

Review the new security features within the module, and upgrade all of your remote service calls to authenticate a user session ID before making any Service calls requiring secure communication.

See also the Services project page.

Reported by

Scott Nelson, Gerhard Killesreiter, Heine Deelstra.


The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.