Highly Critical Remote Code Execution patch for Drupal (PSA-2016-001)

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Profile image of Mattias Geniar

Mattias Geniar, July 13, 2016

Follow me on Twitter as @mattiasgeniar

Update: patch released, see updates below.

For everyone running Drupal, beware: today a highly critical patch is going to be released.

There will be multiple releases of Drupal contributed modules on Wednesday July 13th 2016 16:00 UTC that will fix highly critical remote code execution vulnerabilities (risk scores up to 22/25). These contributed modules are used on between 1,000 and 10,000 sites. The Drupal Security Team urges you to reserve time for module updates at that time because exploits are expected to be developed within hours/days. Release announcements will appear at the standard announcement locations. PSA-2016-001

Important to know is that the Drupal core isn’t affected.

Drupal core is not affected. Not all sites will be affected. You should review the published advisories on July 13th 2016 to see if any modules you use are affected. PSA-2016-001

The vulnerability is a “Arbitrary PHP code execution” one, meaning anyone could use this vulnerability to execute PHP code they wrote on the server. In most environments, PHP isn’t limited to what it can and can not do, so allowing arbitrary PHP execution is just as dangerous as a Bash remote code execution exploit. Make sure to keep an eye on the patch!

Update 13/07/2016

3 modules have been updated:

Get patching!

Here’s the diff for the Coder module:

$ diff -r coder_upgrade/scripts/coder_upgrade.run.php \
   coder_upgrade/scripts/coder_upgrade.run.php
54,59d53
< if (!script_is_cli()) {
<   // Without proper web server configuration, this script can be invoked from a
<   // browser and is vulnerable to misuse.
<   return;
< }
<
219,227d212
<
< /**
<  * Returns boolean indicating whether script is being run from the command line.
<  *
<  * @see drupal_is_cli()
<  */
< function script_is_cli() {
<   return (!isset($_SERVER['SERVER_SOFTWARE']) && (php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0)));
< }

Here’s the diff for the RESTWS module:

$ diff -r restws.module restws.module
268c268
<         'page arguments' => array($resource, 'drupal_not_found'),
---
>         'page arguments' => array($resource),
287c287
<         'page arguments' => array($resource, 'drupal_not_found'),
---
>         'page arguments' => array($resource),
308c308
<           'page arguments' => array($resource, 'drupal_not_found'),
---
>           'page arguments' => array($resource),
319,327d318
<  *
<  * @param string $resource
<  *   The name of the resource.
<  * @param string $page_callback
<  *   The page callback to pass through when the request is not handled by this
<  *   module. If no other pre-existing callback is used, 'drupal_not_found'
<  *   should be passed explicitly.
<  * @param mixed $arg1,...
<  *   Further arguments that are passed through to the given page callback.
329c320
< function restws_page_callback($resource, $page_callback) {
---
> function restws_page_callback($resource, $page_callback = NULL) {
431,433c422,427
<   // Fall back to the passed $page_callback and pass through more arguments.
<   $args = func_get_args();
<   return call_user_func_array($page_callback, array_slice($args, 2));
---
>   if (isset($page_callback)) {
>     // Further page callback arguments have been appended to our arguments.
>     $args = func_get_args();
>     return call_user_func_array($page_callback, array_slice($args, 2));
>   }
>   restws_terminate_request('404 Not Found');


Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.