Security News > 2020 > November > Drupal-based sites open to attack via double extension files (CVE-2020-13671)
Admins of sites running on Drupal are urged to plug a critical security hole that may be exploited by attackers to take over vulnerable sites.
CVE-2020-13671 exists because Drupal core does not properly sanitize certain filenames on uploaded files.
A malicious file with a double extension could be "Interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations," the Drupal security team noted.
"Look specifically for files that include more than one extension, like filename.php.txt or filename.html.gif, without an underscore in the extension. Pay specific attention to the following file extensions, which should be considered dangerous even when followed by one or more additional extensions: phar, php, pl, py, cgi, asp, js, html, htm, phtml. This list is not exhaustive, so evaluate security concerns for other unmunged extensions on a case-by-case basis," they advised.
Though the number of sites depending on Drupal is much, much smaller that the number of WordPress-based sites, it is still over a million.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/PJStF5W_hwE/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-11-20 | CVE-2020-13671 | Unrestricted Upload of File with Dangerous Type vulnerability in multiple products Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. | 8.8 |