- Advisory ID: DRUPAL-SA-CONTRIB-2016-039
- Project: Coder (third-party module)
- Version: 7.x
- Date: 2016-July-13
- Security risk: 20/25 ( Highly Critical) AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All
- Vulnerability: Arbitrary PHP code execution
The Coder module checks your Drupal code against coding standards and other best practices. It can also fix coding standard violations and perform basic upgrades on modules.
The module doesn't sufficiently validate user inputs in a script file that has the php extension. A malicious unauthenticated user can make requests directly to this file to execute arbitrary php code.
There are no mitigating factors. The module does not need to be enabled for this to be exploited. Its presence on the file system and being reachable from the web are sufficient.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
- Coder module 7.x-1.x versions prior to 7.x-1.3.
- Coder module 7.x-2.x versions prior to 7.x-2.6.
Drupal core is not affected. If you do not use the contributed Coder module, there is nothing you need to do.
Two solutions are possible.
A first option is to remove the module from all publicly available websites:
- The coder module is intended to be used in development environments and is not intended to be on publicly available servers. Therefore, one simple solution is to remove the entire coder module directory from any publicly accessible website.
A second option is to install the latest version:
Also see the Coder project page.
- Greg Knaddison of the Drupal Security Team
- Michael Hess of the Drupal Security Team
- Klaus Purer of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity