Drupal has released emergency security updates to address a critical vulnerability with known exploits that could be exploited to achieve arbitrary PHP code execution on some CMS versions.
As a consequence, multiple vulnerabilities impact Drupal installs when they are configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them.
“Drupal has released security updates to address vulnerabilities in Drupal 7, 8.8 and earlier, 8.9, and 9.0. An attacker could exploit this vulnerability to take control of an affected system.” reads the advisory published by CISA.
“The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Drupal Advisory SA-CORE-2020-013 and apply the necessary updates.”
“According to the regular security release window schedule, November 25th would not typically be a core security window,” reads the security advisory published by Drupal.
“However, this release is necessary because there are known exploits for one of core’s dependencies and some configurations of Drupal are vulnerable.”
Drupal released the following updates to address the issues:
“Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage,” Drupal’s security team added.
Drupal also recommends to mitigate this issue by preventing untrusted users from uploading .tar, .tar.gz, .bz2, or .tlz files.
The number of vulnerable Drupal installs is approximatively over 940,000 out of a total of 1,120,94.
Last week, the Drupal development team has released security updates to fix a remote code execution vulnerability related caused by the failure to properly sanitize the names of uploaded files.
The vulnerability, tracked as CVE-2020-13671, has been classified as critical according to the NIST Common Misuse Scoring System.
The flaw could be exploited by an attacker by uploading files with certain types of extensions (phar, php, pl, py, cgi, html, htm, phtml, js, and asp) to the server to achieve remote code execution.
(SecurityAffairs – hacking, PHP code execution)