The Drupal Security Team has identified two vulnerabilities in third-party modules. The vulnerabilities are classified as “Highly Critical” by the Drupal Security Team; Coder is rated as a 20/25, and RESTful Web Services is rated as 22/25 on the potential severity scale.
What’s notable about these vulnerabilities isn’t that there were two discovered, but rather the way they were announced. Both security advisories were listed at nearly the same time, with only a two-minute difference in the posting time between the two announcements.
The headline here, however, is that both vulnerabilities are rated as Highly Critical, and both could allow arbitrary PHP code execution on a site. While these vulnerabilities are not part of Drupal core, they are ubiquitous modules commonly used for Drupal 7 sites.
How to fix Coder critical Drupal vulnerability
According to the official Drupal security advisory (SA-CONTRIB-2016-039
), a “highly critical” vulnerability identified in the Coder third-party module could allow a malicious attacker to remotely execute PHP code against a site.
In normal use, the Coder module is designed to check your code against Drupal best practices and recommended coding standards established by the Drupal community. However, the identified vulnerability “doesn’t sufficiently validate user inputs in a script file that has the PHP extension,” the security advisory states.
By taking advantage of the vulnerability, an “unauthenticated user can make requests directly to this file to execute arbitrary PHP code.”
The Drupal Security Team emphasizes “there are no mitigating factors” to this vulnerability. Also unusual, the module does not need to be enabled for someone to take advantage of the vulnerability. The file is on the system and can be reached from the web remotely. If it is there, it can be compromised.
Affected versions include:
Coder module 7.x-1.x versions prior to 7.x1.3
Coder module 7.x-2.x versions prior to 7.x-2.6
The solutions are either to install the latest version for Drupal 7.x by upgrading to Coder 7.x-1.3 or Coder 7.x-2.6, or to simply remove the entire coder module from all publicly available websites.
While Coder is designed as a tool to be used in dev environments, it is frequently pushed through to live production sites. If you use Coder in development, it is recommended you double-check your production site to ensure it has not been pushed to your live environment.
RESTful Web Services critical Drupal vulnerability
The security advisory released for the RESTful Web Services vulnerability (SA-CONTRIB-2016-40
) reads similar to the Coder one posted two minutes earlier.
The vulnerability takes advantage of the module’s ability to alter default page callbacks for entities to provide additional functionality by sending “specially crafted requests resulting in arbitrary PHP execution.
Again, similar to the Coder vulnerability, the Drupal Security Team emphasizes “there are no mitigating factors” to this vulnerability. It can be exploited by anonymous users to execute PHP code against a site.
Affected versions include:
RESTful Web Services 7.x-2.x versions prior to 7.x-2.6
RESTful Web Services 7.x-1.x versions prior to 7.x-1.7
The only solution is to install the latest version of the module. Developers need to upgrade their sites to RESTful Web Services 7.x-2.6 or 7.x-1.7, depending on the site’s structure. Both updates are easy to identify from the version control changelog as they were both released on July 13, 2016.
Updating your Drupal sites
Note that in addition to these two critical vulnerability patches, the Drupal Team recently released a large, full-featured update for the 7.x series. If you are spending time updating these modules, you may wish to update your site to the new Drupal 7.50 core, as well. It’s an update with several new features to enhance your Drupal site.
Works Cited / For Further Reading:
Coder - Highly Critical - Drupal Security Advisory. (Drupal.org
Coder project page and version control. (Drupal.org
RESTWS - Highly Critical - Drupal Security Advisory. (Drupal.org
RESTful Web Services project page and version control. (Drupal.org
Drupal 7.50 release: What is the latest secure version of Drupal? (Managed.com