Micronet at UC Berkeley

[Micronet] [Announce] Remote Code Execution Vulnerabilities in Drupal 7 Third-party Modules

Classic

List

Threaded

2 messages Options

Josh Kwan

[Micronet] [Announce] Remote Code Execution Vulnerabilities in Drupal 7 Third-party Modules

SUMMARY

===

Highly critical remote code execution vulnerabilities have been announced by the Drupal security team for the third-party modules RESTWS, Coder, and Webform Multiple File Upload. [1] [2] [3]

Open Berkeley Drupal sites managed by IST Web Platform Services are NOT affected. However, ISP is aware there are many unmanaged Drupal sites on campus. Owners of Drupal sites not on the Open Berkeley platform should inspect their configuration immediately.

IMPACT

===

Successful exploitation of these vulnerabilities will allow remote, arbitrary PHP code execution against affected Drupal sites.

VULNERABLE

===

* RESTful Web Services module 7.x-2.x versions prior to 7.x-2.6. [1]

* RESTful Web Services module 7.x-1.x versions prior to 7.x-1.7. [1]

* Coder module 7.x-1.x versions prior to 7.x-1.3. [2]

* Coder module 7.x-2.x versions prior to 7.x-2.6. [2]

* Webform Multifile module 7.x-1.x versions prior to 7.x-1.4 [3]

RECOMMENDATIONS

===

* If your Drupal site is not on the Open Berkeley platform, check your configuration for the affected modules and install the available security patches or disable the module(s). [1] [2] [3]

* Contact IST Web Platform Services for a consultation to have your site hosted and managed on the Open Berkeley platform. Open Berkeley sites regularly receive security updates. [5]

REFERENCES

===

[1] https://www.drupal.org/node/2765567

[2] https://www.drupal.org/node/2765575

[3] https://www.drupal.org/node/2765573

[4] https://www.drupal.org/security/contrib

[5] https://open.berkeley.edu/about-contact

[6] https://security.berkeley.edu/news/remote-code-execution-vulnerabilities-drupal-7-third-party-modules

--
You received this message because you are subscribed to the Google Groups "Micronet Announcements" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/a/lists.berkeley.edu/group/micronet-announce/.
To view this discussion on the web visit https://groups.google.com/a/lists.berkeley.edu/d/msgid/micronet-announce/CA%2BFOM7x7VkuUACUUg3Mqyd0EauJgcjbPoRy%2BNe14b8%2Bj%3DCiqaQ%40mail.gmail.com.
For more options, visit https://groups.google.com/a/lists.berkeley.edu/d/optout.

--
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, please visit the Micronet Web site: http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet. This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.
---
You received this message because you are subscribed to the Google Groups "Micronet" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/a/lists.berkeley.edu/group/micronet-list/.
To view this discussion on the web visit https://groups.google.com/a/lists.berkeley.edu/d/msgid/micronet-list/CA%2BFOM7x7VkuUACUUg3Mqyd0EauJgcjbPoRy%2BNe14b8%2Bj%3DCiqaQ%40mail.gmail.com.
For more options, visit https://groups.google.com/a/lists.berkeley.edu/d/optout.

Josh Kwan

[Micronet] [Announce] Re: Remote Code Execution Vulnerabilities in Drupal 7 Third-party Modules

Hi all,

The below is a correction and has been added to the Recommendations section of the Drupal security alert on the ISP website:

NOTE: The Coder module vulnerability can be exploited even when the module is disabled. Either uninstall the module or update immediately. [2]

Best,

Josh

==
Josh Kwan <[hidden email]>
Security Analyst
Information Security and Policy
University of California, Berkeley
https://security.berkeley.edu

On Wed, Jul 13, 2016 at 10:05 AM, Josh Kwan <[hidden email]> wrote:

SUMMARY
===
Highly critical remote code execution vulnerabilities have been announced by the Drupal security team for the third-party modules RESTWS, Coder, and Webform Multiple File Upload. [1] [2] [3]

Open Berkeley Drupal sites managed by IST Web Platform Services are NOT affected. However, ISP is aware there are many unmanaged Drupal sites on campus. Owners of Drupal sites not on the Open Berkeley platform should inspect their configuration immediately.

IMPACT
===
Successful exploitation of these vulnerabilities will allow remote, arbitrary PHP code execution against affected Drupal sites.

VULNERABLE
===
* RESTful Web Services module 7.x-2.x versions prior to 7.x-2.6. [1]
* RESTful Web Services module 7.x-1.x versions prior to 7.x-1.7. [1]
* Coder module 7.x-1.x versions prior to 7.x-1.3. [2]
* Coder module 7.x-2.x versions prior to 7.x-2.6. [2]
* Webform Multifile module 7.x-1.x versions prior to 7.x-1.4 [3]

RECOMMENDATIONS
===
* If your Drupal site is not on the Open Berkeley platform, check your configuration for the affected modules and install the available security patches or disable the module(s). [1] [2] [3]
* Contact IST Web Platform Services for a consultation to have your site hosted and managed on the Open Berkeley platform. Open Berkeley sites regularly receive security updates. [5]

REFERENCES
===
[1] https://www.drupal.org/node/2765567
[2] https://www.drupal.org/node/2765575
[3] https://www.drupal.org/node/2765573
[4] https://www.drupal.org/security/contrib
[5] https://open.berkeley.edu/about-contact
[6] https://security.berkeley.edu/news/remote-code-execution-vulnerabilities-drupal-7-third-party-modules

--
You received this message because you are subscribed to the Google Groups "Micronet Announcements" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/a/lists.berkeley.edu/group/micronet-announce/.
To view this discussion on the web visit https://groups.google.com/a/lists.berkeley.edu/d/msgid/micronet-announce/CA%2BFOM7yjL-64qvKqU9Ms30rBLVPAnse5kz3uwm8NThuZhNR0cQ%40mail.gmail.com.
For more options, visit https://groups.google.com/a/lists.berkeley.edu/d/optout.

--
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, please visit the Micronet Web site: http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet. This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.
---
You received this message because you are subscribed to the Google Groups "Micronet" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/a/lists.berkeley.edu/group/micronet-list/.
To view this discussion on the web visit https://groups.google.com/a/lists.berkeley.edu/d/msgid/micronet-list/CA%2BFOM7yjL-64qvKqU9Ms30rBLVPAnse5kz3uwm8NThuZhNR0cQ%40mail.gmail.com.
For more options, visit https://groups.google.com/a/lists.berkeley.edu/d/optout.