Drupal Association members fund grants that make connections all over the world.
- Advisory ID: DRUPAL-SA-2008-074
- Project: Services (third-party module)
- Versions: 5.x and 6.x
- Date: 2008-December-17
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Repeat attacks and impersonation
Services is a module which provides an API for exposing Drupal functions. It allows clients to remotely call methods on the server and return the requested data for local processing.
The module doesn't sign enough of the information that passes through it and uses an insecure hash for signing a part of the request, allowing for impersonation attacks. In addition the validity of the request does not time out and can therefore be used multiple times, allowing for repeat attacks.
- Versions of Services for Drupal 5.x prior to 5.x-0.92
- Versions of Services for Drupal 6.x prior to 6.x-0.13
Drupal core is not affected. If you do not use the Services module, there is nothing you need to do.
Install the latest version.
- If you use Services for Drupal 5.x upgrade to Services 5.x-0.92
- If you use Services for Drupal 6.x upgrade to Services 6.x-0.13
Also see the Services project page.
- Steven Wittens (Steven)
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category.