Scoutnet vzw

We connect scouts!
Het is momenteel 29 Mrt 2024 0:21

Alle tijden zijn UTC + 1 uur




Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 
Auteur Bericht
BerichtGeplaatst: 23 Jun 2008 19:04 
Offline
Site Admin
Site Admin
Gebruikers-avatar

Geregistreerd: 17 Jul 2002 23:00
Berichten: 1522
Woonplaats: Wetteren
------------SA-2008-038 - SERVICES - ARBITRARY CODE EXECUTION------------

* Advisory ID: DRUPAL-SA-2008-038
* Project: Services (third-party module)
* Versions: 5.x and 6.x
* Date: 2008-June-18
* Security risk: Highly critical
* Exploitable from: Remote
* Vulnerability: Arbitrary code execution

------------DESCRIPTION------------

The Services module package was created out of a need for a standardized solution to integrate external applications with Drupal. It builds on concepts from Drupal core's XMLRPC interface, but abstracts service callbacks so that they may be used with multiple interfaces such as XMLRPC, SOAP, REST, and AMF. This enables a Drupal site to provide web services via multiple interfaces while using the same callback code.

Unfortunately, the access control system is not sufficiently granular; Users with access to use a services have access to all provided services. With the provided node services, or the system services enabled, it allowed arbitrary code execution for those users.

Access to services can optionally be limited to certain ip addresses or configured to need an API key, somewhat mitigating the issue.

------------VERSIONS AFFECTED------------

* Versions of Services for Drupal 5.x prior to 5.x-0.9
* Versions of Services for Drupal 6.x prior to 6.x-0.9

If you do not use the Services module, there is nothing you need to do.

------------SOLUTION------------

Install the latest version:

* If you use Services for Drupal 5.x upgrade to Services 5.x-0.9 [ http://drupal.org/node/272203 ]
* If you use Services for Drupal 6.x upgrade to Services 6.x-0.9 [ http://drupal.org/node/272202 ]

Review the new security features within the module, and upgrade all of your remote service calls to authenticate a user session ID before making any Service calls requiring secure communication.

See also the Services project page [ http://drupal.org/project/services ].

------------REPORTED BY------------

Scott Nelson [ http://drupal.org/user/31156 ], Gerhard Killesreiter [ http://drupal.org/user/227 ], Heine Deelstra [ http://drupal.org/user/17943 ].

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ].


Omhoog
 Profiel  
 
Berichten weergeven van de afgelopen:  Sorteer op  
Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 

Alle tijden zijn UTC + 1 uur


Wie is er online?

Gebruikers in dit forum: Geen geregistreerde gebruikers en 7 gasten


U mag geen nieuwe onderwerpen plaatsen in dit forum
U mag geen reacties plaatsen op onderwerpen in dit forum
U mag uw berichten niet wijzigen in dit forum
U mag uw berichten niet verwijderen in dit forum
U mag geen bijlagen plaatsen in dit forum

Zoeken naar:
Ga naar:  
cron
Powered by phpBB® Forum Software © phpBB Group
Vertaald door phpBBservice.nl.