* Advisory ID: DRUPAL-SA-CONTRIB-2009-101 * Project: Web Services (third-party theme) * Version: 6.x * Date: 2009-November-11 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Access Bypass

-------- DESCRIPTION ---------------------------------------------------------

The Web Services module provides an API for other sites to communicate with a Drupal site, enabling the publishing of content, change of user information, or simply integration of a Flash application. The module fails to implement proper access checks, leading to an Access Bypass vulnerability. -------- VERSIONS AFFECTED ---------------------------------------------------

* Web Services module, all versions.

Drupal core is not affected. If you do not use the contributed Web Services [1] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------

Web Services module is not maintained and there is no direct solution. Disable the module. The Services [2] module, from which Web Services was forked, may be a possible replacement depending on your requirements. -------- REPORTED BY ---------------------------------------------------------

* Reported by Paolo Sinelli

-------- CONTACT -------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

[1] http://drupal.org/project/webservices [2] http://drupal.org/project/services