Update: patch released, see updates below.
For everyone running Drupal, beware: today a highly critical patch is going to be released.
There will be multiple releases of Drupal contributed modules on Wednesday July 13th 2016 16:00 UTC that will fix highly critical remote code execution vulnerabilities (risk scores up to 22/25). These contributed modules are used on between 1,000 and 10,000 sites. The Drupal Security Team urges you to reserve time for module updates at that time because exploits are expected to be developed within hours/days. Release announcements will appear at the standard announcement locations. PSA-2016-001
Important to know is that the Drupal core isn’t affected.
Drupal core is not affected. Not all sites will be affected. You should review the published advisories on July 13th 2016 to see if any modules you use are affected. PSA-2016-001
The vulnerability is a “Arbitrary PHP code execution” one, meaning anyone could use this vulnerability to execute PHP code they wrote on the server. In most environments, PHP isn’t limited to what it can and can not do, so allowing arbitrary PHP execution is just as dangerous as a Bash remote code execution exploit. Make sure to keep an eye on the patch!
Update 13/07/2016
3 modules have been updated:
- Coder (highly critical)
- RESTWS (highly critical)
- Webform Multiple File Upload (critical)
Get patching!
Here’s the diff for the Coder module:
$ diff -r coder_upgrade/scripts/coder_upgrade.run.php \
coder_upgrade/scripts/coder_upgrade.run.php
54,59d53
< if (!script_is_cli()) {
< // Without proper web server configuration, this script can be invoked from a
< // browser and is vulnerable to misuse.
< return;
< }
<
219,227d212
<
< /**
< * Returns boolean indicating whether script is being run from the command line.
< *
< * @see drupal_is_cli()
< */
< function script_is_cli() {
< return (!isset($_SERVER['SERVER_SOFTWARE']) && (php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0)));
< }
Here’s the diff for the RESTWS module:
$ diff -r restws.module restws.module
268c268
< 'page arguments' => array($resource, 'drupal_not_found'),
---
> 'page arguments' => array($resource),
287c287
< 'page arguments' => array($resource, 'drupal_not_found'),
---
> 'page arguments' => array($resource),
308c308
< 'page arguments' => array($resource, 'drupal_not_found'),
---
> 'page arguments' => array($resource),
319,327d318
< *
< * @param string $resource
< * The name of the resource.
< * @param string $page_callback
< * The page callback to pass through when the request is not handled by this
< * module. If no other pre-existing callback is used, 'drupal_not_found'
< * should be passed explicitly.
< * @param mixed $arg1,...
< * Further arguments that are passed through to the given page callback.
329c320
< function restws_page_callback($resource, $page_callback) {
---
> function restws_page_callback($resource, $page_callback = NULL) {
431,433c422,427
< // Fall back to the passed $page_callback and pass through more arguments.
< $args = func_get_args();
< return call_user_func_array($page_callback, array_slice($args, 2));
---
> if (isset($page_callback)) {
> // Further page callback arguments have been appended to our arguments.
> $args = func_get_args();
> return call_user_func_array($page_callback, array_slice($args, 2));
> }
> restws_terminate_request('404 Not Found');