by David Snopek on July 13, 2016 - 11:03am

You may have noticed a PSA from the security team about some highly critical security updates coming out today.

The security advisories have just been released (for Drupal 7):

They are considered Highly Critical because they are Remote Code Execution (RCE) vulnerabilities, which means that attackers could potentially run aribitrary PHP code on your server, which they could use to add a backdoor to your system, compromise other sites or services, or use your server to attack other servers. These vulnerabilities also are exploitable by anonymous users, or via permissions commonly granted to anonymous users (ie. the ability to fill out a Webform), so there are few mitigating factors.

Luckily, these only affect sites using these modules (Coder, RESTful Web Services or Webform Multiple File Upload), which the security team estimates as being between 1,000 and 10,000 sites.

However, the Coder vulnerability requires special note because it's possible to exploit sites that have the module even if it's disabled or uninstalled - simply having the Coder module present on your server and accessible to the web could make it vulnerable! Since this module is meant for development, we recommend just removing it from production servers.

If you use any of the above mentioned modules on your Drupal 7 site, we recommend updating as soon as possible (or in the case of Coder, removing it).

If you're a myDropWizard customer, we've already made the updates (deployed directly to your site in most cases, or sent to you for testing if you've requested that as part of your workflow).

If you're interested having myDropWizard perform support and maintenance on your site or your clients' sites so that you don't have to worry about this sort of thing, please contact us!

Does this affect Drupal 6 too?

Only the Drupal 6 version of Webform Multiple File Upload is vulnerable.

(Coder for Drupal 6 isn't affected, and RESTful Web Services isn't available for Drupal 6.)

With the help of the D6LTS vendors, a new version was released.

You can also download the patch.

If you have a Drupal 6 site using the Webform Multiple File Upload module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily 

Want to read more articles like this?


Subscribe to the blog and recieve e-mail updates when new articles are published!