Drupal, which is currently the fourth most used CMS on the internet after WordPress, Shopify, and Joomla, gave the vulnerability a rating of "Critical," advising site owners to patch as soon as possible.
The team behind the Drupal content management system (CMS) has released security updates to patch a critical vulnerability that can grant attackers full control over vulnerable sites. The vulnerability CVE-2020-13671, the vulnerability is ridiculously simple to exploit and relies on the good ol' "double extension" trick.
Attackers can add a second extension to a malicious file, upload it on a Drupal site through open upload fields, and have the malicious executed.as reported by ZDNet.
Normally, files with two extensions would be detected, but in a security advisory published on Wednesday, Drupal devs said the vulnerability resides in the fact that the Drupal CMS does not sanitize "certain" file names, allowing some malicious files to slip through.
Drupal devs say this "can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations." Security updates were released for the Drupal 7, 8, and 9 versions to correct the file upload sanitization procedures.
But the Drupal team also urges site admins to review recent uploads for files with two extensions; in case the bug has been discovered and exploited by attackers before the patch.
Pay specific attention to the following file extensions, which should be considered dangerous even when followed by one or more additional extensions.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.