• Advisory ID: SA-CONTRIB-2009-036
  • Project: Services (third-party module)
  • Version: 6.x
  • Date: 2009 June 10
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Impersonation


The Services module provides integration of external applications with Drupal. Service callbacks may be used with multiple interfaces like XMLRPC, SOAP, REST, AMF. When key based access is enabled any user may view or add keys, allowing a third party to access services they would not otherwise be able to access. The services that can be exploited depend on the access control checks that are in place on a given client site.

Versions affected

Services for 6.x before version 6.x-0.14.

Drupal core is not affected. If you do not use the contributed Services module, there is nothing you need to do.


Upgrade to the latest version:

If you are running Services 6.x then upgrade to Services 6.x-0.14.

If you are running a development version of Services module please upgrade to a version dated later than 9th June 2009.

See also the Services project page.

Reported by

Gerhard Killesreiter of the Drupal Security Team

Fixed by

Marc Ingram.


The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.