There were three Drupal security announcements today (6-18-2008). All of them were either "highly critical" or "critical". All three were third-party modules and the core was not affected by any of them.

'Services' module

The 'Services' module is an abstraction of RPC so services can be read with standard Drupal call-backs. Because of a limit in access controls a user has all-or-none access. A user that has access one service has access to them all.

A partial stopgap is to limit the web service by IP. If you use the Service module then you need to upgrade to version 5.x-0.9 in Drupal 5 or 6.x-0.9 in Drupal 6.

Trail Scouts

'Trail Scouts' is a bread-crumbs solution. But data is not properly filtered which opens the site to XSS attacks. It also opens the site to SQL injection by bypassing Drupals database abstraction and doing querries that contain data from a cookie.

Update 'Trail Scouts' in Drupal 5 if the version is prior to 5.x-1.4

Profile search

'Profile Search' (not the core module 'profile') is an attempt to extend the core profile module so searches can be done on more information. The site is vulnerable to SQL injection attacks since unsanitized data is used in querries.

Update 'Profile Search' for Drupal 5 to 5.x-1.0.

References

• Drupal SA-2008-036 http://drupal.org/node/272038 ('Profile Search')
• Drupal SA-3008-037 http://drupal.org/node/272191 ('Trail Scouts')
• Drupal SA-2008-038 http://drupal.org/node/272201 ('Services')