Remote Code Execution Vulnerabilities in Drupal 7 Third-party Modules

1 view

Skip to first unread message

Josh Kwan

unread,

Jul 13, 2016, 1:05:59 PM7/13/16

to micronet-announce lists.berkeley.edu

SUMMARY

===

Highly critical remote code execution vulnerabilities have been announced by the Drupal security team for the third-party modules RESTWS, Coder, and Webform Multiple File Upload. [1] [2] [3]

Open Berkeley Drupal sites managed by IST Web Platform Services are NOT affected. However, ISP is aware there are many unmanaged Drupal sites on campus. Owners of Drupal sites not on the Open Berkeley platform should inspect their configuration immediately.

IMPACT

===

Successful exploitation of these vulnerabilities will allow remote, arbitrary PHP code execution against affected Drupal sites.

VULNERABLE

===

* RESTful Web Services module 7.x-2.x versions prior to 7.x-2.6. [1]

* RESTful Web Services module 7.x-1.x versions prior to 7.x-1.7. [1]

* Coder module 7.x-1.x versions prior to 7.x-1.3. [2]

* Coder module 7.x-2.x versions prior to 7.x-2.6. [2]

* Webform Multifile module 7.x-1.x versions prior to 7.x-1.4 [3]

RECOMMENDATIONS

===

* If your Drupal site is not on the Open Berkeley platform, check your configuration for the affected modules and install the available security patches or disable the module(s). [1] [2] [3]

* Contact IST Web Platform Services for a consultation to have your site hosted and managed on the Open Berkeley platform. Open Berkeley sites regularly receive security updates. [5]

REFERENCES

===

[1] https://www.drupal.org/node/2765567

[2] https://www.drupal.org/node/2765575

[3] https://www.drupal.org/node/2765573

[4] https://www.drupal.org/security/contrib

[5] https://open.berkeley.edu/about-contact

[6] https://security.berkeley.edu/news/remote-code-execution-vulnerabilities-drupal-7-third-party-modules