“Look specifically for files that include more than one extension, like or, without an underscore ( _) in the extension. These files are really PHP or HTML files containing code but have been disguised as text/image files via a misleading file extension. The security advisory suggests looking for files with more than one extension, such as or. In addition, for due diligence, website admins should check all previously uploaded files for malicious extensions. “Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage,” states the advisory. If you are using Drupal 7, update to Drupal 7.74.If you are using Drupal 8.8 or earlier, update to Drupal 8.8.11.If you are using Drupal 8.9, update to Drupal 8.9.9.If you are using Drupal 9.0, update to Drupal 9.0.8.Multiple patched versions releasedĭrupal has released patches for multiple versions, depending on what branch you are using: “Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations,” states Drupal’s security advisory. Since the vulnerable versions do not properly sanitize these filenames, it is possible to trick the uploader into treating a file as, say, PHP, and have it execute arbitrary code on the server. The vulnerability also tracked as SA-CORE-2020-012, exists due to improper validation of filenames of files uploaded to Drupal websites.Ī remote attacker can upload files with crafted filenames. Today, over half a million sites use Drupal, as such applying updates for critical vulnerabilities like these immediately is vital. Drupal, a popular CMS and blogging platform has patched a remote code execution vulnerability, CVE-2020-13671.
0 Comments
Leave a Reply. |