Is your website running on Drupal? If so, beware, as security researchers discovered a security weakness in the system that needs to be patched immediately. The vulnerability, CVE-2020-13671 is critical and can lead to site takeovers if exploited successfully. If your website is indeed running on Drupal, you should also monitor it for attack attempts leveraging the flaw.
CVE-2020-13671 Critical Hole in Drupal Sites
According to its official description, the flaw exists because the Drupal core in its standard release doesn’t correctly sanitize specific filenames on uploaded files. This vulnerable condition could lead to files being interpreted as having an incorrect extension and served as the wrong MIME type. Hackers could also execute these files as PHP for specific hosting configurations. The CVE-2020-13671 vulnerability affects Drupal Core 9.0 versions before 9.0.8, 8.9 versions before 8.9, 8.8 versions before 8.8.11, and 7 versions before 7.74.
In other words, a malicious file can also be interpreted in the way described above. Fortunately, fixes are already available, and website admins should upgrade their Drupal configurations as soon as possible. Drupal hasn’t confirmed whether the flaw has been abused in the wild, but admins should audit previously uploaded files to check for malicious extensions. If you don’t know where to look, look for files that include more than one extension, such as filename.php.txt or filename.html.gif, without an underscore (_) in the extension.
“Pay specific attention to the following file extensions, which should be considered dangerous even when followed by one or more additional extensions: phar, php, pl, py, cgi, asp, js, html, htm, phtml. This list is not exhaustive, so evaluate security concerns for other unmunged extensions on a case-by-case basis,” Drupal said in its advisory.
More about Drupal
Drupal is a free and open-source CMS. It is the fourth most common content management system after WordPress, Shopify, and Joomla. Attacks against Drupal-running sites have happened in the past. If your website runs on this CMS, beware that Drupal version 7.x will reach its end-of-life in November next year. You may want to start planning your upgrade before it’s too late.
Recently, we wrote about some vulnerabilities that endangered millions of WordPress sites. You should remember to check all installed plugins, widgets, and other apps, and make sure they are running on the latest possible versions. The rule applies to any content management system.