Wednesday, December 17, 2008

[Security announcements] SA-2008-074 - Services - Insecure signing

------------SA-2008-074 - SERVICES - INSECURE SIGNING------------

* Advisory ID: DRUPAL-SA-2008-074

* Project: Services (third-party module)

* Versions: 5.x and 6.x

* Security risk: Critical

* Exploitable from: Remote

* Vulnerability: Repeat attacks and impersonation

------------DESCRIPTION------------

Services is a module which provides an API for exposing Drupal functions. It
allows clients to remotely call methods on the server and return the requested
data for local processing.

The module doesn't sign enough of the information that passes through it and
uses an insecure hash for signing a part of the request, allowing for
impersonation attacks. In addition the validity of the request does not time out
and can therefore be used multiple times, allowing for repeat attacks.

------------VERSIONS AFFECTED------------

* Versions of Services for Drupal 5.x prior to 5.x-0.92

* Versions of Services for Drupal 6.x prior to 6.x-0.13

Drupal core is not affected. If you do not use the Services module, there is
nothing you need to do.

------------SOLUTION------------

Install the latest version.

* If you use Services for Drupal 5.x upgrade to Services 5.x-0.92 [
http://drupal.org/node/303265 ]

* If you use Services for Drupal 6.x upgrade to Services 6.x-0.13 [
http://drupal.org/node/304938 ]

Also see the Services project page [ http://drupal.org/project/services ].

------------REPORTED BY------------

* Steven Wittens (Steven [ http://drupal.org/user/10] ])

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ] and by selecting the security issues
category.

--
Unsubscribe from this newsletter: http://drupal.org/newsletter/confirm/remove/73ff60b93f11343t44

No comments: