Services - Critical - Arbitrary Code Execution

* Advisory ID: DRUPAL-SA-CONTRIB-2016-029
* Project: Services
* Version: 7.x
* Date: 2017-March-08
* Security risk: 21/25 ( Highly Critical)
* Vulnerability: Arbitrary PHP code execution


This module provides a standardized solution for building API's so that
external clients can communicate with Drupal.

The module accepts user submitted data in PHP's serialization format
("Content-Type: application/vnd.php.serialized") which can lead to arbitrary
remote code execution.

This vulnerability is mitigated by the fact that an attacker must know your
Service Endpoint's path, and your Service Endpoint must have
"application/vnd.php.serialized" enabled as a request parser.


* Services 7.x-3.x versions prior to 7.x-3.19.

Drupal core is not affected. If you do not use the contributed Services
module, there is nothing you need to do.


Install the latest version:

* If you use the Services 3.x module for Drupal 7.x, upgrade to Services

You may disable "application/vnd.php.serialized" under "Request parsing" in Drupal to prevent the exploit: /admin/structure/services/list/[my-endpoint]/server

However, installing the latest version of the Services module is highly recommended.

Also see the Services project page:

Add new comment