Services – Critical – Multiple Vulnerabilites – SA-CONTRIB-2015-096

Description

Services module enables you to expose an API to third party systems.

Access bypass (file upload and execution)

The resource/endpoint for uploading files does not properly sanitize the filename of uploaded files. This vulnerability is mitigated by the fact that the “File > Create” resource must be enabled and an attacker must have a role with the Services “Save file information” permission.

Private fields information displayed

Services does not check field_access when displaying entities so some private field information may be displayed. This vulnerability only affects sites using the field access system (for example, via the Field Permissions module) to hide fields from anonymous users.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.

Versions affected

Services 7.x-3.x versions prior to 7.x-3.12.

Drupal core is not affected. If you do not use the contributed Services module,
there is nothing you need to do.

Solution

Install the latest version of Services: Services 7.x-3.12.

As a reminder, Services for Drupal 6 is no longer maintained.

Also see the Services project page.

Reported by

Access Bypass/file upload

Private fields information displayed

Fixed by

Access Bypass/file upload

Private fields information displayed

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Leave a Reply