[Security-news] SA-CONTRIB-2010-047: Services - Access Bypass

security-news at drupal.org security-news at drupal.org
Wed May 12 20:36:49 UTC 2010 

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-047
  * Project: Services (third-party module)
  * Version: 6.x
  * Date: 2010-May-12
  * Security risk: Critical
  * Exploitable from: Remote
  * Vulnerability: Access Bypass

-------- DESCRIPTION  
---------------------------------------------------------

The Services module allows users to expose Drupal functionality to remote
users. Services provides the ability for developers to define access
callbacks in code for exposed services.

When using session ID authentication without API key authentication, the
module does not properly check access when a service is using the default
access callback. This allows users to access functionality which should have
been controlled by user permissions. This vulnerability is nonexistent if
session ID authentication is used in combination with API key authentication.

-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Services module for Drupal 6.x versions prior to 6.x-2.1

Drupal core is not affected. If you do not use the contributed Services [1]
module, there is nothing you need to do.

-------- SOLUTION  
------------------------------------------------------------

Install the latest version.

  * If you use the Services module for Drupal 6.x upgrade to Services 6.x-2.1
    [2]

-------- REPORTED BY  
---------------------------------------------------------

  * Edsko de Vries [3]
  * Greg Dunlap [4], the module maintainer

-------- FIXED BY  
------------------------------------------------------------

  * Greg Dunlap [5], the module maintainer

-------- CONTACT  
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact [6].

Read more about the Security Team and Security Advisories at
http://drupal.org/security.


[1] http://drupal.org/project/services
[2] http://drupal.org/node/797264
[3] http://drupal.org/user/527220
[4] http://drupal.org/user/128537
[5] http://drupal.org/user/128537
[6] http://drupal.org/contact

More information about the Security-news mailing list