Services - Critical - Multiple Vulnerabilites - SA-CONTRIB-2015-096

Services module enables you to expose an API to third party systems.

Access bypass (file upload and execution)

The resource/endpoint for uploading files does not properly sanitize the filename of uploaded files. This vulnerability is mitigated by the fact that the “File > Create” resource must be enabled and an attacker must have a role with the Services “Save file information” permission.

Private fields information displayed

Services does not check field_access when displaying entities so some private field information may be displayed. This vulnerability only affects sites using the field access system (for example, via the Field Permissions module) to hide fields from anonymous users.

CVE identifier(s) issued

• Access bypass: CVE-2015-4393 * Information disclosure:CVE-2015-4394

Versions affected

Services 7.x-3.x versions prior to 7.x-3.12.

Drupal core is not affected. If you do not use the contributed Services module,
there is nothing you need to do.

Solution

Install the latest version of Services: Services 7.x-3.12.

As a reminder, Services for Drupal 6 is no longer maintained.

Also see the Services project page.

Reported by

Access Bypass/file upload

• Fabian Franz
• Bevan Rudge

Private fields information displayed

• giorgio79

Fixed by

Access Bypass/file upload

• Bevan Rudge

Private fields information displayed

• Kyle Browning module maintainer

Coordinated by

• Ben Dougherty of the Drupal Security Team
• Stéphane Corlosquet of the Drupal Security Team