[Security-news] SA-CONTRIB-2009-101 - Web Services - Access Bypass
security-news at drupal.org
security-news at drupal.org
Wed Nov 11 22:54:28 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-101
* Project: Web Services (third-party theme)
* Version: 6.x
* Date: 2009-November-11
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass
-------- DESCRIPTION
---------------------------------------------------------
The Web Services module provides an API for other sites to communicate with a
Drupal site, enabling the publishing of content, change of user information,
or simply integration of a Flash application. The module fails to implement
proper access checks, leading to an Access Bypass vulnerability.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Web Services module, all versions.
Drupal core is not affected. If you do not use the contributed Web Services
[1] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Web Services module is not maintained and there is no direct solution.
Disable the module. The Services [2] module, from which Web Services was
forked, may be a possible replacement depending on your requirements.
-------- REPORTED BY
---------------------------------------------------------
* Reported by Paolo Sinelli
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/project/webservices
[2] http://drupal.org/project/services
More information about the Security-news
mailing list