services

For those who don't get the Security email announcements:

------------SA-2008-038 - SERVICES - ARBITRARY CODE EXECUTION------------

 * Advisory ID: DRUPAL-SA-2008-038

 * Project: Services (third-party module)

 * Versions: 5.x and 6.x

 * Date: 2008-June-18

 * Security risk: Highly critical

 * Exploitable from: Remote

 * Vulnerability: Arbitrary code execution

------------DESCRIPTION------------

The Services module package was created out of a need for a standardized
solution to integrate external applications with Drupal. It builds on concepts
from Drupal core's XMLRPC interface, but abstracts service callbacks so that
they may be used with multiple interfaces such as XMLRPC, SOAP, REST, and AMF.
This enables a Drupal site to provide web services via multiple interfaces while
using the same callback code.

Unfortunately, the access control system is not sufficiently granular; Users
with access to use a services have access to all provided services. With the
provided node services, or the system services enabled, it allowed arbitrary
code execution for those users.

Access to services can optionally be limited to certain ip addresses or
configured to need an API key, somewhat mitigating the issue.

------------VERSIONS AFFECTED------------

 * Versions of Services for Drupal 5.x prior to 5.x-0.9

 * Versions of Services for Drupal 6.x prior to 6.x-0.9

If you do not use the Services module, there is nothing you need to do.

------------SOLUTION------------

Install the latest version:

 * If you use Services for Drupal 5.x upgrade to Services 5.x-0.9 [
http://drupal.org/node/272203 ]

 * If you use Services for Drupal 6.x upgrade to Services 6.x-0.9 [
http://drupal.org/node/272202 ]

Review the new security features within the module, and upgrade all of your
remote service calls to authenticate a user session ID before making any Service
calls requiring secure communication.

See also the Services project page [ http://drupal.org/project/services ].

------------REPORTED BY------------

Scott Nelson [ http://drupal.org/user/31156 ], Gerhard Killesreiter [
http://drupal.org/user/227 ], Heine Deelstra [ http://drupal.org/user/17943 ].

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].

Hi,

Just a simple announcement, short and sweet.

ThinkLeft, a Drupal service provider, has relocated and is now based in Perth, Australia.

Whether you're looking for someone to build your site, or someone to help alleviate your overloaded staff, please have a look at http://thinkleft.com.au if interested.

Thanks for reading.

Beng Tan

ThinkLeft
thinkleft.com.au

I'm using Flex to build cross-domain widgets that can be embedded on any domain. These widgets consume data via Services and AMFPHP. Unfortunately, I've been notified that my site is now vulnerable to attacks because I have a liberal crossdomain.xml policy file that allows connections from any domain.

Anyone interested in collaborating on Zen like flex theme, specifically someone who can code the AS3 DTO's? The idea being to model the project after the features and functionality currently available in the Zen theme, but built in flex.

Its my feeling that if we had one good starter theme for flex it would allow designers and themers to more easily get started creating more advanced flex themes.

I'm also wondering if there might be some overlap or lessons we can learn from the patterns.module. http://drupal.org/project/patterns

I just uploaded a stand-alone module that provides Services methods for the Voting API. This allows external applications to access and modify Voting API data for Drupal objects. For example, a Flash application could implement an interface for voting on nodes.

I've submitted this as a feature request to the Voting API project at:
http://drupal.org/node/241453

If you use the Voting API and Services, please help me test this and support its inclusion in future Voting API releases. Let me know if you have any questions or suggestions.

One issue with the Services API is its weak implementation of API keys. Although it does work, it could be better. It is probably worth it to investigate OAuth, an open protocol to "allow secure API authentication in a simple and standard method from desktop and web applications". Some of you got the chance to see Boris' talk on this in Boston at Drupalcon, any thoughts? How would it effect Services?

I am currently using Flex to consume an amfphp service, and it works great. However, when you try to use the swf on a Facebook profile, you have to click on an image first in order to load the swf.

My thought was to use the JSON server to return JSON to my facebook app. However, I get hit with the cross domain security issue. Has anyone here successfully accessed the JSON Server from a remote domain?

-Erich-

Hello.. I'm working on my little app here.. have figured out login, upload avatar.. and so on.. http://metroklub.sk/drulog/bin-release/DrupalLoginApp.html <-- don't know how long it will hang there.. anyway I would like my users to create their own group and let others to join in if they are approved.. nothing really complicated [i guess] but now I don't know which direction to take.. should I role out my own piece of php code with included bootstrap.. or install an organic groups module and try to make a service for it?.. [I don't think I'm skilled enough to write my own services]..