Drupal CODER Module Remote Command Execution

Posted by deepcore on July 27, 2016 – 5:56 am

This Metasploit module exploits a Remote Command Execution vulnerability in Drupal CODER Module. Unauthenticated users can execute arbitrary command under the context of the web server user. CODER module doesn’t sufficiently validate user inputs in a script file that has the php extension. A malicious unauthenticated user can make requests directly to this file to execute arbitrary command. The module does not need to be enabled for this to be exploited This Metasploit module was tested against CODER 2.5 with Drupal 7.5 installation on Ubuntu server.

This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« [local] – VMware – Setuid vmware-mount Popen lsb_release Privilege Escalation (VMSA-2013-0010) CodoForum 3.2.1 SQL Injection »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

Drupal CODER Module Remote Command Execution

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL