[Security-news] Coder - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-039

security-news at drupal.org security-news at drupal.org
Wed Jul 13 16:00:20 UTC 2016


View online: https://www.drupal.org/node/2765575

   * Advisory ID: DRUPAL-SA-CONTRIB-2016-039
   * Project: Coder [1]     (third-party module)
   * Version: 7.x
   * Date: 2016-July-13
   * Security risk: 20/25 ( Highly Critical)
     AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All [2]
   * Vulnerability: Arbitrary PHP code execution

-------- DESCRIPTION
---------------------------------------------------------

The Coder module checks your Drupal code against coding standards and other
best practices. It can also fix coding standard violations and perform basic
upgrades on modules.

The module doesn't sufficiently validate user inputs in a script file that
has the php extension. A malicious unauthenticated user can make requests
directly to this file to execute arbitrary php code.

There are no mitigating factors. The module does not need to be enabled for
this to be exploited. Its presence on the file system and being reachable
from the web are sufficient.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

   * /A CVE identifier [3] will be requested, and added upon issuance, in
     accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

   * Coder module 7.x-1.x versions prior to 7.x-1.3.
   * Coder module 7.x-2.x versions prior to 7.x-2.6.

Drupal core is not affected. If you do not use the contributed Coder [4]
module, there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Two solutions are possible.

A first option is to remove the module from all publicly available websites:

   * The coder module is intended to be used in development environments and 
is
     not intended to be on publicly available servers. Therefore, one simple
     solution is to remove the entire coder module directory from any publicly
     accessible website.

A second option is to install the latest version:

   * If you use the Coder module for Drupal 7.x, upgrade to Coder 7.x-1.3 [5]
     or Coder 7.x-2.6 [6].

Also see the Coder [7] project page.

-------- REPORTED BY
---------------------------------------------------------

   * Nicky Bloor [8]

-------- FIXED BY
------------------------------------------------------------

   * Jim Berry [9] the module maintainer
   * David Rothstein [10] of the Drupal Security Team

-------- COORDINATED BY
------------------------------------------------------

   * Greg Knaddison [11] of the Drupal Security Team
   * Michael Hess [12] of the Drupal Security Team
   * Klaus Purer [13] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [14].

Learn more about the Drupal Security team and their policies [15], writing
secure code for Drupal [16], and  securing your site [17].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [18]


[1] https://www.drupal.org/project/coder
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/coder
[5] https://www.drupal.org/project/coder/releases/7.x-1.3
[6] https://www.drupal.org/project/coder/releases/7.x-2.6
[7] https://www.drupal.org/project/coder
[8] https://www.drupal.org/user/3469027
[9] https://www.drupal.org/user/240748
[10] https://www.drupal.org/user/124982
[11] https://www.drupal.org/user/36762
[12] https://www.drupal.org/user/102818
[13] https://www.drupal.org/user/262198
[14] https://www.drupal.org/contact
[15] https://www.drupal.org/security-team
[16] https://www.drupal.org/writing-secure-code
[17] https://www.drupal.org/security/secure-configuration
[18] https://twitter.com/drupalsecurity



More information about the Security-news mailing list