On Tuesday, July 12th, the Drupal security team issued a Public Service Announcement (PSA) about
a highly critical security release that happened today, Wednesday, July 13th, for 3 Drupal contributed modules. This security release gets the extra push of being ranked highly and a PSA because this very dangerous vulnerability will allow an attacker to execute their own PHP code on your site. Here are a few important things to know:
- This is not a problem in Drupal core.
- This is only for the contributed projects RESTWS, Coder (even if it is disabled!), and Webform Multiple File Upload.
- If you do not apply the security updates to these modules on a site connected in any way to the internet, your site can, and very likely will, be hacked.
How to Secure Your Site
In order to make sure your site is secure, review all of your Drupal 7 sites to see if they are using any of the affected modules. If so, you need to either upgrade the module to the latest release that came out today, or find and apply the patch to the code directly.
You can find instructions on Drupal.org to update a module. We’ve also made our video lessons Updating Drupal Contributed Modules and Drush Commands for Site Administrators free for the next few weeks. The first will show you how to use Drupal’s built-in Update Manager to update the modules directly through the admin interface of your site, and the second will show you how to use Drush for the same process.
Bevan Rudge wrote a good article explaining how to prepare for this security release. While the release is already out now, it is still a good list of things you should go through. He also walks through the steps for applying the security fixes by manually applying the security patch.
If you're just learning about this critical update due to this blog post, you should make sure that you can be more quickly informed in the future. Even if none of these modules effect you, the next time it might be something that does. Drupal always does security releases on Wednesdays. There are numerous channels to stay informed.
Start by making sure you have the core Update Manager module enabled, which provides you with an Available updates report on your site. This report shows you all new updates ready for your site. Most people are familiar with this report. If you go to the Settings tab in there, you can also configure the site to notify you by email whenever there are new releases — either generally, or just for security updates. Every site should have someone being notified of available security updates through Update Manager.
Speaking of emails, you can also put yourself on the security newsletter email list through Drupal.org. To subscribe, log in to Drupal.org, go to your user profile page and subscribe to the security newsletter by going to the Edit tab and then the My newsletters tab.
Beyond email, you can find all security releases on Drupal.org’s security advisories page. There are RSS feeds available for core, contrib, and public service announcements, like this one, which are used when there is a particularly critical situation. You can also follow @drupalsecurity on Twitter.