Posted by bmcmurray on June 19, 2008 at 2:16pm
For those who don't get the Security email announcements:
------------SA-2008-038 - SERVICES - ARBITRARY CODE EXECUTION------------
* Advisory ID: DRUPAL-SA-2008-038
* Project: Services (third-party module)
* Versions: 5.x and 6.x
* Date: 2008-June-18
* Security risk: Highly critical
* Exploitable from: Remote
* Vulnerability: Arbitrary code execution
------------DESCRIPTION------------
The Services module package was created out of a need for a standardized
solution to integrate external applications with Drupal. It builds on concepts
from Drupal core's XMLRPC interface, but abstracts service callbacks so that
they may be used with multiple interfaces such as XMLRPC, SOAP, REST, and AMF.
This enables a Drupal site to provide web services via multiple interfaces while
using the same callback code.
Unfortunately, the access control system is not sufficiently granular; Users
with access to use a services have access to all provided services. With the
provided node services, or the system services enabled, it allowed arbitrary
code execution for those users.
Access to services can optionally be limited to certain ip addresses or
configured to need an API key, somewhat mitigating the issue.
------------VERSIONS AFFECTED------------
* Versions of Services for Drupal 5.x prior to 5.x-0.9
* Versions of Services for Drupal 6.x prior to 6.x-0.9
If you do not use the Services module, there is nothing you need to do.
------------SOLUTION------------
Install the latest version:
* If you use Services for Drupal 5.x upgrade to Services 5.x-0.9 [
http://drupal.org/node/272203 ]
* If you use Services for Drupal 6.x upgrade to Services 6.x-0.9 [
http://drupal.org/node/272202 ]
Review the new security features within the module, and upgrade all of your
remote service calls to authenticate a user session ID before making any Service
calls requiring secure communication.
See also the Services project page [ http://drupal.org/project/services ].
------------REPORTED BY------------
Scott Nelson [ http://drupal.org/user/31156 ], Gerhard Killesreiter [
http://drupal.org/user/227 ], Heine Deelstra [ http://drupal.org/user/17943 ].
------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].
Comments
Is it just me, or does it
Is it just me, or does it seem that the 5x version is incomplete? All I see is the /services directory and nothing else.
try downloading again
I downloaded Services 5.x-0.9 and see node_service, search_service, system_service, taxonomy_service, user_service and views_service. Try downloading from http://drupal.org/node/109640/release again.
I see the same. What I
I see the same. What I don't see is:
README.txt
services.css
services.info
services.install
services.module
services_admin_browse.inc
services_admin_keys.inc
I should also note that all
I should also note that all the other releases are around 18kb in size, except for the 5x, which is 10kb.
Me too. I dont actually see
Me too. I dont actually see a "Services" module.
5.x-0.91 is available now at
5.x-0.91 is available now at http://drupal.org/node/272203
Thanks. I knew I wasn't
Thanks. I knew I wasn't imagining that services.module was missing.
novice
how to authenticate a user session ID?... some example?
FREDDY
User Sessions
Here's some pseudo-code:
session = system.connect();
user = user.login(session, 'MyName');
node.save(session, mynode);
Having this means that every session becomes securely tailored to a user that has the privileges to create and save nodes.
using sessions
OK ... then I just add the sessionid to all the calls you make
FREDDY
FREDDY
5.x Branch missing on CVS?
5.x-0.92 is available here, but not thru CVS… folder structure seems to be duplicated :/
here == http://drupal.org/node/109640/release