Drupal Coder Module Deserialization RCE
Critical Nessus Plugin ID 92626
SynopsisA PHP application running on the remote web server is affected by a remote code execution vulnerability.
DescriptionThe version of Drupal running on the remote web server is affected by a remote code execution vulnerability in the Coder module, specifically in file coder_upgrade.run.php, due to improper validation of user-supplied input to the unserialize() function. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary PHP code.
SolutionUpgrade the Coder module to version 7.x-1.3 / 7.x-2.6 or later.
Alternatively, remove the entire Coder module directory from any publicly accessible website.