[dergachev]

Oh hey, Elijah! I found out about this HN post because my friend wrote to me about it, so I guess you're doing a good deed for the community.

I want to note that these vulnerabilities are in 3 Drupal 7 contributed modules:

RESTWS (we personally never used this, but it has 5k installs)

Coder (we use its scripts all the time, but install it only in Dev environment, not in Drupal codebase. However, we did have a client with 3 projects running it, and they're patching it now)

Webform Multiple File Upload (we never used this, but it has 3k installs)

So for context, this isn't exactly "Drupalgeddon 2.0", but if you know someone who uses Drupal 7, they should check if they're using these modules, and update them.

[pfg]

Small addition re: Coder: It's not necessary for the module to be enabled in order to be exploitable, it just has to be somewhere in your document root[1]. If you share the same code base between dev and production, you might be vulnerable even if it's disabled in production.

[1]: https://twitter.com/drupalsecurity/status/753263548458004480

[ElijahLynn]

Thanks for posting that very important point about the Coder module. We were mitigated by the fact we used Composer to install an internal distribution and Coder was in our /vendor/drupal/coder directory, not inside docroot.

[ElijahLynn]

Sup Alex! Small world. Thanks for posting details in here, I should have done that after posting but it was my first time posting and I didn't think to put it in a comment.