Services Security Update -- Please Update your Version of Services.module

Events happening in the community are now at Drupal community events on www.drupal.org.
Posted by bmcmurray on June 19, 2008 at 2:16pm

For those who don't get the Security email announcements:

------------SA-2008-038 - SERVICES - ARBITRARY CODE EXECUTION------------
 * Advisory ID: DRUPAL-SA-2008-038
 * Project: Services (third-party module)
 * Versions: 5.x and 6.x
 * Date: 2008-June-18
 * Security risk: Highly critical
 * Exploitable from: Remote
 * Vulnerability: Arbitrary code execution
------------DESCRIPTION------------
The Services module package was created out of a need for a standardized
solution to integrate external applications with Drupal. It builds on concepts
from Drupal core's XMLRPC interface, but abstracts service callbacks so that
they may be used with multiple interfaces such as XMLRPC, SOAP, REST, and AMF.
This enables a Drupal site to provide web services via multiple interfaces while
using the same callback code.
Unfortunately, the access control system is not sufficiently granular; Users
with access to use a services have access to all provided services. With the
provided node services, or the system services enabled, it allowed arbitrary
code execution for those users.
Access to services can optionally be limited to certain ip addresses or
configured to need an API key, somewhat mitigating the issue.
------------VERSIONS AFFECTED------------
 * Versions of Services for Drupal 5.x prior to 5.x-0.9
 * Versions of Services for Drupal 6.x prior to 6.x-0.9
If you do not use the Services module, there is nothing you need to do.
------------SOLUTION------------
Install the latest version:
 * If you use Services for Drupal 5.x upgrade to Services 5.x-0.9 [
http://drupal.org/node/272203 ]
 * If you use Services for Drupal 6.x upgrade to Services 6.x-0.9 [
http://drupal.org/node/272202 ]
Review the new security features within the module, and upgrade all of your
remote service calls to authenticate a user session ID before making any Service
calls requiring secure communication.
See also the Services project page [ http://drupal.org/project/services ].
------------REPORTED BY------------
Scott Nelson [ http://drupal.org/user/31156 ], Gerhard Killesreiter [
http://drupal.org/user/227 ], Heine Deelstra [ http://drupal.org/user/17943 ].
------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].
Categories: ,

Comments

Is it just me, or does it

Posted by ebeyrent on June 19, 2008 at 2:44pm

Is it just me, or does it seem that the 5x version is incomplete? All I see is the /services directory and nothing else.

try downloading again

Posted by christefano on June 19, 2008 at 3:11pm

I downloaded Services 5.x-0.9 and see node_service, search_service, system_service, taxonomy_service, user_service and views_service. Try downloading from http://drupal.org/node/109640/release again.

I see the same. What I

Posted by ebeyrent on June 19, 2008 at 3:36pm

I see the same. What I don't see is:

README.txt
services.css
services.info
services.install
services.module
services_admin_browse.inc
services_admin_keys.inc

I should also note that all

Posted by ebeyrent on June 19, 2008 at 8:14pm

I should also note that all the other releases are around 18kb in size, except for the 5x, which is 10kb.

Me too. I dont actually see

Posted by newms on June 19, 2008 at 8:22pm

Me too. I dont actually see a "Services" module.

5.x-0.91 is available now at

Posted by christefano on June 20, 2008 at 7:52am

Thanks. I knew I wasn't

Posted by newms on June 20, 2008 at 3:14pm

Thanks. I knew I wasn't imagining that services.module was missing.

novice

Posted by freddymx on June 19, 2008 at 5:47pm

how to authenticate a user session ID?... some example?

FREDDY

User Sessions

Posted by robloach on June 27, 2008 at 6:09pm

Here's some pseudo-code:

session = system.connect();
user = user.login(session, 'MyName');
node.save(session, mynode);

Having this means that every session becomes securely tailored to a user that has the privileges to create and save nodes.

using sessions

Posted by freddymx on June 27, 2008 at 9:32pm

OK ... then I just add the sessionid to all the calls you make

FREDDY

FREDDY

5.x Branch missing on CVS?

Posted by g10 on September 7, 2008 at 10:52pm

5.x-0.92 is available here, but not thru CVS... folder structure seems to be duplicated :/

here == http://drupal.org/node/109640/release

Services

Group organizers

Group categories

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

AltStyle によって変換されたページ (->オリジナル) /