RESTWS – Highly critical – Remote code execution – SA-CONTRIB-2016-040

Advisory ID: DRUPAL-SA-CONTRIB-2016-040
Project: RESTful Web Services (third-party module)
Version: 7.x
Date: 2016-July-13
Security risk: 22/25 ( Highly Critical) AC:None/A:None/CI:All/II:All/E:Theoretical/TD:All
Vulnerability: Arbitrary PHP code execution
Description
This module enables you to expose Drupal entities as RESTful web services.
RESTWS alters the default page callbacks for entities to provide additional functionality.
A vulnerability in this approach allows an attacker to send specially crafted requests resulting in arbitrary PHP execution.
There are no mitigating factors. This vulnerability can be exploited by anonymous users.

CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
RESTful Web Services 7.x-2.x versions prior to 7.x-2.6.
RESTful Web Services 7.x-1.x versions prior to 7.x-1.7.
Drupal core is not affected. If you do not use the contributed RESTful Web Services module, there is nothing you need to do.
Solution
Install the latest version:
If you use the RESTful Web Services module for Drupal 7.x, upgrade to RESTful Web Services 7.x-2.6
If you use the RESTful Web


Original URL: https://www.drupal.org/node/2765567

Original article

Comments are closed.

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: