* Advisory ID: SA-CONTRIB-2009-036 * Project: Services (third-party module) * Version: 6.x * Date: 2009 June 10 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Impersonation

-------- DESCRIPTION ---------------------------------------------------------

The Services module provides integration of external applications with Drupal. Service callbacks may be used with multiple interfaces like XMLRPC, SOAP, REST, AMF. When key based access is enabled any user may view or add keys, allowing a third party to access services they would not otherwise be able to access. The services that can be exploited depend on the access control checks that are in place on a given client site. -------- VERSIONS AFFECTED ---------------------------------------------------

Services for 6.x before version 6.x-0.14. Drupal core is not affected. If you do not use the contributed Services module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------

Upgrade to the latest version: If you are running Services 6.x then upgrade to Services 6.x-0.14 [1]. If you are running a development version of Services module please upgrade to a version dated later than 9th June 2009. See also the Services [2] project page. -------- REPORTED BY ---------------------------------------------------------

Gerhard Killesreiter [3] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------

Marc Ingram [4]. -------- CONTACT -------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

[1] http://drupal.org/node/487784 [2] http://drupal.org/project/services [3] http://drupal.org/user/227 [4] http://drupal.org/user/77320