[SA-CONTRIB-2016-039] Arbitrary PHP code execution
The Coder module checks your Drupal code against coding standards and other best practices. It can also fix coding standard violations and perform basic upgrades on modules.
The module doesn’t sufficiently validate user inputs in a script file that has the php extension. A malicious unauthenticated user can make requests directly to this file to execute arbitrary php code.
There are no mitigating factors. The module does not need to be enabled for this to be exploited. Its presence on the file system and being reachable from the web are sufficient.
This vulnerability affects the following application versions:
- Drupal Module Coder 7.x-1.0
- Drupal Module Coder 7.x-1.0-beta5
- Drupal Module Coder 7.x-1.0-beta6
- Drupal Module Coder 7.x-1.1
- Drupal Module Coder 7.x-1.2
- Drupal Module Coder 7.x-2.0
- Drupal Module Coder 7.x-2.0-beta1
- Drupal Module Coder 7.x-2.0-beta2
- Drupal Module Coder 7.x-2.1
- Drupal Module Coder 7.x-2.2
- Drupal Module Coder 7.x-2.3
- Drupal Module Coder 7.x-2.4
- Drupal Module Coder 7.x-2.5
- Drupal Module Coder 8.x-2.0-alpha1