The Drupal development team has released security updates to fix a remote code execution vulnerability related caused by the failure to properly sanitize the names of uploaded files.
The vulnerability, tracked as CVE-2020-13671, has been classified as critical according to the NIST Common Misuse Scoring System.
The vulnerability could be exploited by an attacker by uploading files with certain types of extensions (phar, php, pl, py, cgi, html, htm, phtml, js, and asp) to the server to achieve remote code execution.
“Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.” reads the security advisory published by Drupal.
The development team has addressed the flaw in Drupal 7, 8 and 9 with the release of versions 7.74, 8.8.11, 8.9.9, and 9.0.8.
The vulnerability was reported to team by the following experts:
The development team recommends users to check their servers for files that include more than one extension, such as filename.php.txt or filename.html.gif.
In March, the development team released security updates for versions 8.8.x and 8.7.x that fix two XSS vulnerabilities affecting the CKEditor library.
In May they addressed XSS and open redirect flaws, while in June they released security updates to address multiple security vulnerabilities, including a “critical” flaw tracked as CVE-2020-13664 that could be exploited by an attacker to execute arbitrary PHP code.
(SecurityAffairs – hacking, Drupal)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.