Drupal developers have released security updates to address multiple vulnerabilities in the popular CMS:
The US Cybersecurity and Infrastructure Security Agency (CISA) published an advisory for the above vulnerabilities.
The most severe one, rated as “critical,” is an arbitrary PHP code execution tracked as CVE-2022-25277.
“Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010).” reads the advisory. “However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files’ filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core’s default .htaccess files and possible remote code execution on Apache web servers.”
In order to mitigate the issue, it is mandatory for the field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads. The vulnerability impacts 9.4, and 9.3 versions, the advisory states that the issue only affects Apache web servers with specific configurations.
The other three vulnerabilities have been rated as “moderately critical,” that can lead to cross-site scripting (XSS) attacks, information disclosure, or access bypass.
All the issues impact the 9.4, and 9.3 versions, but the information disclosure vulnerability also impacts version 7.
(SecurityAffairs – Content Management System, critical code execution flaw)