Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-047: Services - Access Bypass

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-047: Services - Access Bypass


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-047: Services - Access Bypass
  • Date: Wed, 12 May 2010 20:36:49 +0000 (UTC)
  • List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
  • List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
* Advisory ID: DRUPAL-SA-CONTRIB-2010-047
* Project: Services (third-party module)
* Version: 6.x
* Date: 2010-May-12
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass

-------- DESCRIPTION
---------------------------------------------------------

The Services module allows users to expose Drupal functionality to remote
users. Services provides the ability for developers to define access
callbacks in code for exposed services.

When using session ID authentication without API key authentication, the
module does not properly check access when a service is using the default
access callback. This allows users to access functionality which should have
been controlled by user permissions. This vulnerability is nonexistent if
session ID authentication is used in combination with API key authentication.

-------- VERSIONS AFFECTED
---------------------------------------------------

* Services module for Drupal 6.x versions prior to 6.x-2.1

Drupal core is not affected. If you do not use the contributed Services [1]
module, there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Install the latest version.

* If you use the Services module for Drupal 6.x upgrade to Services 6.x-2.1
[2]

-------- REPORTED BY
---------------------------------------------------------

* Edsko de Vries [3]
* Greg Dunlap [4], the module maintainer

-------- FIXED BY
------------------------------------------------------------

* Greg Dunlap [5], the module maintainer

-------- CONTACT
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact [6].

Read more about the Security Team and Security Advisories at
http://drupal.org/security.


[1] http://drupal.org/project/services
[2] http://drupal.org/node/797264
[3] http://drupal.org/user/527220
[4] http://drupal.org/user/128537
[5] http://drupal.org/user/128537
[6] http://drupal.org/contact

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news


  • [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-047: Services - Access Bypass, security-news, 12.05.2010

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang