* Advisory ID: DRUPAL-SA-CONTRIB-2010-047
* Project: Services (third-party module)
* Version: 6.x
* Date: 2010-May-12
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass
-------- DESCRIPTION
---------------------------------------------------------
The Services module allows users to expose Drupal functionality to remote
users. Services provides the ability for developers to define access
callbacks in code for exposed services.
When using session ID authentication without API key authentication, the
module does not properly check access when a service is using the default
access callback. This allows users to access functionality which should have
been controlled by user permissions. This vulnerability is nonexistent if
session ID authentication is used in combination with API key authentication.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Services module for Drupal 6.x versions prior to 6.x-2.1
Drupal core is not affected. If you do not use the contributed Services [1]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version.
* If you use the Services module for Drupal 6.x upgrade to Services 6.x-2.1
[2]
-------- REPORTED BY
---------------------------------------------------------
* Edsko de Vries [3]
* Greg Dunlap [4], the module maintainer
-------- FIXED BY
------------------------------------------------------------
* Greg Dunlap [5], the module maintainer
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at
drupal.org or via
the form at
http://drupal.org/contact [6].
Read more about the Security Team and Security Advisories at
http://drupal.org/security.
[1]
http://drupal.org/project/services
[2]
http://drupal.org/node/797264
[3]
http://drupal.org/user/527220
[4]
http://drupal.org/user/128537
[5]
http://drupal.org/user/128537
[6]
http://drupal.org/contact
_______________________________________________
Security-news mailing list
Securi...@drupal.org
http://lists.drupal.org/mailman/listinfo/security-news
--
Has recibido este mensaje porque estás suscrito a Grupo "Drupal Perú"
de Grupos de Google.
Si quieres publicar en este grupo, envía un mensaje de correo
electrónico a
drupa...@googlegroups.com
Y revisa las reglas
http://groups.google.es/group/drupal-peru/web
Para anular la suscripción a este grupo, envía un mensaje a
drupal-peru...@googlegroups.com
Para obtener más opciones, visita este grupo en
http://groups.google.es/group/drupal-peru?hl=es.