[Security-news] SA-CONTRIB-2014-092 - Services - Cross Site Scripting, Access bypass

security-news at drupal.org security-news at drupal.org
Wed Sep 24 19:29:11 UTC 2014 

View online: https://www.drupal.org/node/2344389

   * Advisory ID: DRUPAL-SA-CONTRIB-2014-092
   * Project: Services [1]     (third-party module)
   * Version: 7.x
   * Date: 2014-September-24
   * Security risk: 11/25 ( Moderately Critical)
     AC:Complex/A:User/CI:None/II:Some/E:Proof/TD:All [2]
   * Vulnerability: Cross Site Scripting, Access bypass

-------- DESCRIPTION
---------------------------------------------------------

The Services module enables you to expose an API to third party systems using
REST, XML-RPC or other protocols.

.... New user's password set to weak password in _user_resource_create()

When creating a new user account via Services, the new user's password was
set to a weak password.

This issue is mitigated by the fact that the user resource must be enabled
(or least have been enabled in the past) and new user registration permitted
via Services.

*Action required:* This release of Services comes with an interface and a
drush command to perform actions in order to secure your site and get rid of
this vulnerability. After installing this release and running the regular
database updates, make sure to read all the information provided at
/admin/config/services/services-security/, and pick the option most suited to
your site. For example, you can reset the password of all user accounts that
have been created since August 30th, 2013 (recommended).

.... Unfiltered JSONP callback parameter (XSS)

The JSONP response of a callback parameter is unfiltered and outputs raw HTTP
data. This can lead to arbitrary JavaScript execution.

This issue is mitigated by the fact that  JSONP is not enabled by default in
the REST server response formatters and the HTTP client Accept header must be
set to text/javascript or application/javascript if the "xml" formatter is
enabled.

Services module now restricts callback parameters to alphanumeric characters
only and a hard limit of 60 characters.

.... Flood control for user login bypass

Flood control was not properly enforced leaving it vulnerable to brute force
attacks. Services now implements flood control just like core Drupal does.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

   * /A CVE identifier [3] will be requested, and added upon issuance, in
     accordance
            with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

   * Services 7.x-3.x versions prior to 7.x-3.10.

Drupal core is not affected. If you do not use the contributed Services [4]
module,
       there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

   1) If you use the Services module for Drupal 7.x, upgrade to Services
      7.x-3.10 [5]
   2) follow the security update instructions at
      /admin/config/services/services-security/

Also see the Services [6] project page.

-------- REPORTED BY
---------------------------------------------------------

   * Sam Metson [7] reported the user password issue
   * Régis Leroy [8] reported the XSS issue
   * Chris Oden [9] reported the flood control issue

-------- FIXED BY
------------------------------------------------------------

   * Kyle Browning [10] the module maintainer
   * Stéphane Corlosquet [11] of the Drupal Security Team

-------- COORDINATED BY
------------------------------------------------------

   * Greg Knaddison [12] of the Drupal Security Team
   * Stéphane Corlosquet [13] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at
https://www.drupal.org/contact [14].

Learn more about the Drupal Security team and their policies [15],
       writing secure code for Drupal [16], and
       securing your site [17].


[1] https://www.drupal.org/project/services
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/services
[5] https://www.drupal.org/node/2344423
[6] https://www.drupal.org/project/services
[7] https://www.drupal.org/user/2812719
[8] https://www.drupal.org/user/1367862
[9] https://www.drupal.org/user/896508
[10] https://www.drupal.org/user/211387
[11] https://www.drupal.org/user/52142
[12] https://www.drupal.org/u/greggles
[13] https://www.drupal.org/user/52142
[14] https://www.drupal.org/contact
[15] https://www.drupal.org/security-team
[16] https://www.drupal.org/writing-secure-code
[17] https://www.drupal.org/security/secure-configuration

More information about the Security-news mailing list