Reference:
Details:
Highly critical Remote Code Execution (RCE) bugs that
could allow attackers to fully take over any affected site were found in three
separate Drupal Modules. Below are the separate Drupal Modules that effect 10K
websites:
1.
RESTful Web Services: This modules is used to create REST
APIs.Admins using RESTful Web Services versions 7.x-2.x prior to 7.x-2.6 and
versions 7.x-1.x prior to 7.x-1.7 for their Drupal websites are affected
2.
Coder: This module is used for code analysis. Coder module
versions 7.x-1.x prior to 7.x-1.3 and versions 7.x-2.x prior to 7.x-2.6 are
affected.
3.
Webform Multiple File Upload: This module used for
collecting files from site vistors. The Webform Multiple File Upload module
contains a Remote Code Execution flaw that could allow an attacker to take over
any affected site entirely using some specially crafted requests. This
vulnerability exists in the Webform Multiple File Upload (webform_multifile)
module versions 7.x-1.x
Root cause:
1.
RESTful Web Services: The vulnerability in RESTWS alters the
default page callbacks for entities to provide additional information that
allows attackers to send specially crafted requests resulting in arbitrary PHP
execution.
2.
Coder: The vulnerability exists in the Coder module that
does not properly validate user inputs in a script file that has the PHP
extension, allowing a malicious unauthorized user to make requests directly to
this file to execute arbitrary code. To exploit the vulnerability, the Coder
module does not even need to be enabled. The presence of the module on the file
system and being reachable from the Web are enough for an attacker to exploit
this flaw.
3.
Webform Multiple File Upload: The Webform Multifile File
Upload module contains a Remote Code Execution (RCE) vulnerability where form
inputs will be unserialized and a specially crafted form input may trigger
arbitrary code execution depending on the libraries available on a site.
Possible
recommendations:
1.
RESTful Web Services: Install the latest version. If you use
the RESTful Web Services module for Drupal 7.x, upgrade to RESTful Web Services
7.x-2.6. If you use the RESTful Web Services module for Drupal 7.x, upgrade to
RESTful Web Services 7.x-1.7.
2.
Coder: Remove the entire coder module directory from any
publicly accessible website. If you use the Coder module for Drupal 7.x,
upgrade to Coder 7.x-1.3 or Coder 7.x-2.6
3.
Webform Multiple File Upload: This vulnerability is
mitigated by the fact that an attacker must have the ability to submit a Webform
with a Multiple File Input field. Further, a site must have an object defined
with methods that are invoked at wake/destroy that include code that can be
leveraged for malicious purposes. Employ Drupal7 bound classes which can be
used to delete arbitrary files, but contributed or custom classes may include
methods that can be leveraged for RCE. If you use the Webform Multifile module
for Drupal 7.x, upgrade to Webform Multiple File Upload 7.x-1.4
No comments:
Post a Comment