The Drupal development team has released security updates to fix a remote code execution vulnerability related caused by the failure to properly sanitize the names of uploaded files.
The vulnerability, tracked as CVE-2020-13671, has been classified as critical according to the NIST Common Misuse Scoring System.
The vulnerability could be exploited by an attacker by uploading files with certain types of extensions (phar, php, pl, py, cgi, html, htm, phtml, js, and asp) to the server to achieve remote code execution.
“Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.” reads the security advisory published by Drupal.
The development team has addressed the flaw in Drupal 7, 8 and 9 with the release of versions 7.74, 8.8.11, 8.9.9, and 9.0.8.
The vulnerability was reported to team by the following experts:
The development team recommends users to check their servers for files that include more than one extension, such as filename.php.txt or filename.html.gif.
In March, the development team released security updates for versions 8.8.x and 8.7.x that fix two XSS vulnerabilities affecting the CKEditor library.
In May they addressed XSS and open redirect flaws, while in June they released security updates to address multiple security vulnerabilities, including a “critical” flaw tracked as CVE-2020-13664 that could be exploited by an attacker to execute arbitrary PHP code.
(SecurityAffairs – hacking, Drupal)