• Advisory ID: DRUPAL-SA-CONTRIB-2009-101
  • Project: Web Services (third-party theme)
  • Version: 6.x
  • Date: 2009-November-11
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Access Bypass

Description

The Web Services module provides an API for other sites to communicate with a Drupal site, enabling the publishing of content, change of user information, or simply integration of a Flash application.

The module fails to implement proper access checks, leading to an Access Bypass vulnerability.

Versions affected

  • Web Services module, all versions.

Drupal core is not affected. If you do not use the contributed Web Services module, there is nothing you need to do.

Solution

Web Services module is not maintained and there is no direct solution. Disable the module. The Services module, from which Web Services was forked, may be a possible replacement depending on your requirements.

Reported by

  • Reported by Paolo Sinelli

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.