Drupal Services Module Session ID Authentication Security Bypass Vulnerability
BID:40131
Info
Drupal Services Module Session ID Authentication Security Bypass Vulnerability
| Bugtraq ID: | 40131 |
| Class: | Access Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | May 12 2010 12:00AM |
| Updated: | May 12 2010 12:00AM |
| Credit: | Edsko de Vries and Greg Dunlap |
| Vulnerable: |
Drupal Services 6.x-2.0 |
| Not Vulnerable: |
Drupal Services 6.x-2.1 |
Discussion
Drupal Services Module Session ID Authentication Security Bypass Vulnerability
The Services module for Drupal is prone to a security-bypass vulnerability that may allow attackers to perform actions without proper authorization.
Attackers can exploit this issue to bypass security restrictions to obtain sensitive information or perform unauthorized actions; this may aid in launching further attacks.
Versions prior to Services 6.x-2.1 are vulnerable.
The Services module for Drupal is prone to a security-bypass vulnerability that may allow attackers to perform actions without proper authorization.
Attackers can exploit this issue to bypass security restrictions to obtain sensitive information or perform unauthorized actions; this may aid in launching further attacks.
Versions prior to Services 6.x-2.1 are vulnerable.
Exploit / POC
Drupal Services Module Session ID Authentication Security Bypass Vulnerability
Attackers can exploit this issue through a browser.
Attackers can exploit this issue through a browser.
Solution / Fix
Drupal Services Module Session ID Authentication Security Bypass Vulnerability
Solution:
Updates are available; please see the references for more information.
Drupal Services 6.x-2.0
Solution:
Updates are available; please see the references for more information.
Drupal Services 6.x-2.0
-
Drupal services-6.x-2.1.tar.gz
http://ftp.drupal.org/files/projects/services-6.x-2.1.tar.gz
References
Drupal Services Module Session ID Authentication Security Bypass Vulnerability
References:
References:
- Drupal Language Switcher Dropdown Homepage (Drupal)
- SA-CONTRIB-2010-047: Services - Access Bypass (Drupal)
- Services Homepage (Drupal)