Drupal CMS Modules Vulnerabilities Leads to Remote Code Execution

August 4, 2016

A few weeks ago, Drupal released an advisory stating that three of its third-party modules have been found to be vulnerable and advised users to update to the latest releases. These modules are the RESTWS, Coder, and Webform Multiple File Upload modules. Two of the vulnerabilities have been publicly disclosed and Dell SonicWALL research team has analyzed the exploitation details.

The first is the RESTWS Module Code Execution Vulnerability. The RESTWS module is used to create Rest application programming interfaces (APIs). The vulnerability in this module allows a remote attacker to execute commands on the vulnerable web server.

The second is the Coder Module coder_upgrade.run.php Code Execution Vulnerability. The Coder module allows administrators and developers to check their code against various coding standards and best practices. This module also contains a remote code execution vulnerability.

Dell SonicWALL team has written the following signatures that helps protect our customers from this attack:

  • IPS 11747: Drupal RESTWS Module Code Execution
  • IPS 11770: Drupal RESTWS Module Code Execution 2
  • IPS 11771: Drupal Coder Module Code Execution
  • WAF 1639: Drupal RESTWS Module Page Callback Remote Code Execution
  • WAF 1640: Drupal Coder Module Remote Code Execution