- Advisory ID: DRUPAL-SA-CONTRIB-2010-047
- Project: Services (third-party module)
- Version: 6.x
- Date: 2010-May-12
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Access Bypass
Description
The Services module allows users to expose Drupal functionality to remote users. Services provides the ability for developers to define access callbacks in code for exposed services.
When using session ID authentication without API key authentication, the module does not properly check access when a service is using the default access callback. This allows users to access functionality which should have been controlled by user permissions. This vulnerability is nonexistent if session ID authentication is used in combination with API key authentication.
Versions affected
- Services module for Drupal 6.x versions prior to 6.x-2.1
Drupal core is not affected. If you do not use the contributed Services module, there is nothing you need to do.
Solution
Install the latest version.
- If you use the Services module for Drupal 6.x upgrade to Services 6.x-2.1
Reported by
- Edsko de Vries
- Greg Dunlap, the module maintainer
Fixed by
- Greg Dunlap, the module maintainer
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Read more about the Security Team and Security Advisories at http://drupal.org/security.