CVE-2024-13255
📋 TL;DR
This vulnerability in Drupal's RESTful Web Services module allows attackers to access sensitive information through forceful browsing of data queries. It affects Drupal 7 sites using the RESTful Web Services module version 7.x-2.0 through 7.x-2.9. Attackers can potentially retrieve unauthorized data from the system.
💻 Affected Systems
- Drupal RESTful Web Services module
📦 What is this software?
Restful Web Services by Restful Web Services Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access sensitive user data, configuration information, or other protected content stored in the Drupal database through unauthorized REST API queries.
Likely Case
Unauthorized access to content that should be restricted, potentially exposing user information, unpublished content, or system configuration details.
If Mitigated
With proper access controls and authentication requirements, the impact is limited to authorized users only accessing their permitted data.
🎯 Exploit Status
Exploitation requires understanding of Drupal's REST API structure and endpoints. Attackers need to craft specific queries to access unauthorized data.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.x-2.10
Vendor Advisory: https://www.drupal.org/sa-contrib-2024-019
Restart Required: No
Instructions:
1. Update the RESTful Web Services module to version 7.x-2.10 or later. 2. Use Drush: drush pm-update restws. 3. Or download from Drupal.org and replace the module files. 4. Clear Drupal caches after update.
🔧 Temporary Workarounds
Disable RESTful Web Services module
allTemporarily disable the vulnerable module until patching is possible
drush pm-disable restws
Restrict REST API access
allImplement access controls or IP restrictions for REST endpoints
🧯 If You Can't Patch
- Implement strict access controls and authentication requirements for all REST endpoints
- Monitor REST API logs for unusual query patterns or unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check the RESTful Web Services module version in Drupal's module list or via Drush: drush pm-list | grep restwsCheck Version:
drush pm-list | grep restwsVerify Fix Applied:
Confirm module version is 7.x-2.10 or higher: drush pm-list | grep restws📡 Detection & Monitoring
Log Indicators:
- Unusual REST API query patterns
- Access to REST endpoints that should be restricted
- Multiple failed authentication attempts followed by successful data queries
Network Indicators:
- Unusual traffic to /restws/* endpoints
- Patterns of data enumeration through REST queries
SIEM Query:
source="drupal" AND (uri_path="/restws/*" OR module="restws") AND (status=200 OR status=403) | stats count by client_ip, uri_path