Coder - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-039

By Drupal Security Team on 13 Jul 2016 at 14:59 UTC

Advisory ID: DRUPAL-SA-CONTRIB-2016-039
Project: Coder (third-party module)
Version: 7.x
Date: 2016-July-13
Security risk: 20/25 ( Highly Critical) AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All
Vulnerability: Arbitrary PHP code execution

Description

The Coder module checks your Drupal code against coding standards and other best practices. It can also fix coding standard violations and perform basic upgrades on modules.

The module doesn't sufficiently validate user inputs in a script file that has the php extension. A malicious unauthenticated user can make requests directly to this file to execute arbitrary php code.

There are no mitigating factors. The module does not need to be enabled for this to be exploited. Its presence on the file system and being reachable from the web are sufficient.

CVE identifier(s) issued

A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

Coder module 7.x-1.x versions prior to 7.x-1.3.
Coder module 7.x-2.x versions prior to 7.x-2.6.

Drupal core is not affected. If you do not use the contributed Coder module, there is nothing you need to do.

Solution

Two solutions are possible.

A first option is to remove the module from all publicly available websites:

The coder module is intended to be used in development environments and is not intended to be on publicly available servers. Therefore, one simple solution is to remove the entire coder module directory from any publicly accessible website.

A second option is to install the latest version: