On Wednesday, Drupal’s security team revealed that a “critical” remote code execution vulnerabilities have left at least 13,000 websites at risk due to the use of specific, vulnerable modules.
1. RESTful Web Services – a popular module used for creating REST APIs, which is currently installed on at least 5,804 websites.
The vulnerability in RESTWS alters the default page callbacks for entities to provide additional functionality, allowing attackers to “send specially crafted requests resulting in arbitrary PHP execution.”
Since anonymous users can exploit this vulnerability and there isn’t any mitigating factor, users are advised to patch their websites as soon as possible.
Admins using RESTful Web Services versions 7.x-2.x prior to 7.x-2.6 and versions 7.x-1.x prior to 7.x-1.7 for their Drupal websites are affected and are advised to upgrade to the latest RESTful Web Services releases.
2. Coder – a module used for code analysis, which is currently installed on at least 4,951 sites.
The vulnerability exists in the Coder module that does not properly validate user inputs in a script file that has the PHP extension, allowing a malicious unauthorized user to make requests directly to this file to execute arbitrary code.
To exploit the vulnerability, the Coder module does not even need to be enabled. The presence of the module on the file system and being reachable from the Web are enough for an attacker to exploit this flaw.
Coder module versions 7.x-1.x prior to 7.x-1.3 and versions 7.x-2.x prior to 7.x-2.6 are affected. Admins using the Coder module for Drupal 7.x should upgrade to the latest releases.
3. Webform Multiple File Upload – a module used for collecting files from site visitors, which is currently installed on at least 3,076 sites.
The Webform Multiple File Upload module contains a Remote Code Execution flaw that could allow an attacker to take over any affected site entirely using some specially crafted requests.
Any site visitor could potentially exploit this vulnerability to take several malicious actions on the website, including completely taking over the website and server.
This vulnerability exists in the Webform Multiple File Upload (webform_multifile) module versions 7.x-1.x and is fixed in the latest Webform Multiple File Upload version 7.x-1.4.