Drupal patches two critical security vulnerabilities that allow remote code execution in 7.x series

 

What’s notable about these vulnerabilities isn’t that there were two discovered, but rather the way they were announced. Both security advisories were listed at nearly the same time, with only a two-minute difference in the posting time between the two announcements.

 

The headline here, however, is that both vulnerabilities are rated as Highly Critical, and both could allow arbitrary PHP code execution on a site. While these vulnerabilities are not part of Drupal core, they are ubiquitous modules commonly used for Drupal 7 sites.

 

According to the official Drupal security advisory (SA-CONTRIB-2016-039), a “highly critical” vulnerability identified in the Coder third-party module could allow a malicious attacker to remotely execute PHP code against a site.

 

In normal use, the Coder module is designed to check your code against Drupal best practices and recommended coding standards established by the Drupal community. However, the identified vulnerability “doesn’t sufficiently validate user inputs in a script file that has the PHP extension,” the security advisory states.

 

By taking advantage of the vulnerability, an “unauthenticated user can make requests directly to this file to execute arbitrary PHP code.”

 

The Drupal Security Team emphasizes “there are no mitigating factors” to this vulnerability. Also unusual, the module does not need to be enabled for someone to take advantage of the vulnerability. The file is on the system and can be reached from the web remotely. If it is there, it can be compromised.

 

Coder module 7.x-1.x versions prior to 7.x1.3

Coder module 7.x-2.x versions prior to 7.x-2.6

 

The solutions are either to install the latest version for Drupal 7.x by upgrading to Coder 7.x-1.3 or Coder 7.x-2.6, or to simply remove the entire coder module from all publicly available websites.

 

While Coder is designed as a tool to be used in dev environments, it is frequently pushed through to live production sites. If you use Coder in development, it is recommended you double-check your production site to ensure it has not been pushed to your live environment.

 

The security advisory released for the RESTful Web Services vulnerability (SA-CONTRIB-2016-40) reads similar to the Coder one posted two minutes earlier.

 

The vulnerability takes advantage of the module’s ability to alter default page callbacks for entities to provide additional functionality by sending “specially crafted requests resulting in arbitrary PHP execution.

 

Again, similar to the Coder vulnerability, the Drupal Security Team emphasizes “there are no mitigating factors” to this vulnerability. It can be exploited by anonymous users to execute PHP code against a site.

 

RESTful Web Services 7.x-2.x versions prior to 7.x-2.6

RESTful Web Services 7.x-1.x versions prior to 7.x-1.7

 

The only solution is to install the latest version of the module. Developers need to upgrade their sites to RESTful Web Services 7.x-2.6 or 7.x-1.7, depending on the site’s structure. Both updates are easy to identify from the version control changelog as they were both released on July 13, 2016.

 

Note that in addition to these two critical vulnerability patches, the Drupal Team recently released a large, full-featured update for the 7.x series. If you are spending time updating these modules, you may wish to update your site to the new Drupal 7.50 core, as well. It’s an update with several new features to enhance your Drupal site.

 

More information about the Drupal 7.50 release can be found in the Managed.com Knowledge Base article “Drupal — Secure and Latest Versions.”

 

Coder - Highly Critical - Drupal Security Advisory. (Drupal.org)

Coder project page and version control. (Drupal.org)

RESTWS - Highly Critical - Drupal Security Advisory. (Drupal.org)

RESTful Web Services project page and version control. (Drupal.org)