• Advisory ID: DRUPAL-SA-2008-074
  • Project: Services (third-party module)
  • Versions: 5.x and 6.x
  • Date: 2008-December-17
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Repeat attacks and impersonation

Description

Services is a module which provides an API for exposing Drupal functions. It allows clients to remotely call methods on the server and return the requested data for local processing.

The module doesn't sign enough of the information that passes through it and uses an insecure hash for signing a part of the request, allowing for impersonation attacks. In addition the validity of the request does not time out and can therefore be used multiple times, allowing for repeat attacks.

Versions Affected

  • Versions of Services for Drupal 5.x prior to 5.x-0.92
  • Versions of Services for Drupal 6.x prior to 6.x-0.13

Drupal core is not affected. If you do not use the Services module, there is nothing you need to do.

Solution

Install the latest version.

Also see the Services project page.

Reported by

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category.