- Advisory ID: DRUPAL-SA-CONTRIB-2016-040
- Project: RESTful Web Services (third-party module)
- Version: 7.x
- Date: 2016-July-13
- Security risk: 22/25 ( Highly Critical) AC:None/A:None/CI:All/II:All/E:Theoretical/TD:All
- Vulnerability: Arbitrary PHP code execution
This module enables you to expose Drupal entities as RESTful web services.
RESTWS alters the default page callbacks for entities to provide additional functionality.
A vulnerability in this approach allows an attacker to send specially crafted requests resulting in arbitrary PHP execution.
There are no mitigating factors. This vulnerability can be exploited by anonymous users.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
- RESTful Web Services 7.x-2.x versions prior to 7.x-2.6.
- RESTful Web Services 7.x-1.x versions prior to 7.x-1.7.
Drupal core is not affected. If you do not use the contributed RESTful Web Services module, there is nothing you need to do.
Install the latest version:
- If you use the RESTful Web Services module for Drupal 7.x, upgrade to RESTful Web Services 7.x-2.6
- If you use the RESTful Web Services module for Drupal 7.x, upgrade to RESTful Web Services 7.x-1.7
Also see the RESTful Web Services project page.
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity