[Security-news] SA-CONTRIB-2009-036 - Services - Impersonation

Wed Jun 10 21:07:08 UTC 2009

  * Advisory ID: SA-CONTRIB-2009-036
  * Project: Services (third-party module)
  * Version: 6.x
  * Date: 2009 June 10
  * Security risk: Critical
  * Exploitable from: Remote
  * Vulnerability: Impersonation

-------- DESCRIPTION  
---------------------------------------------------------

The Services module provides integration of external applications with
Drupal. Service callbacks may be used with multiple interfaces like XMLRPC,
SOAP, REST, AMF. When key based access is enabled any user may view or add
keys, allowing a third party to access services they would not otherwise be
able to access. The services that can be exploited depend on the access
control checks that are in place on a given client site.
-------- VERSIONS AFFECTED  
---------------------------------------------------

Services for 6.x before version 6.x-0.14. Drupal core is not affected. If you
do not use the contributed Services module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Upgrade to the latest version: If you are running Services 6.x then upgrade
to Services 6.x-0.14 [1]. If you are running a development version of
Services module please upgrade to a version dated later than 9th June 2009.
See also the Services [2] project page.
-------- REPORTED BY  
---------------------------------------------------------

Gerhard Killesreiter [3] of the Drupal Security Team
-------- FIXED BY  
------------------------------------------------------------

Marc Ingram [4].
-------- CONTACT  
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://drupal.org/node/487784
[2] http://drupal.org/project/services
[3] http://drupal.org/user/227
[4] http://drupal.org/user/77320