Drupal has fixed a critical bug that could allow hackers to gain full
access to vulnerable websites. Currently Drupal is the fourth most
used content management service (CMS) platform on the internet After
WordPress, Shopify, Joomla.
The Drupal team this week released security updates to patch the
Tracked as CVE-2020-13671, the vulnerability is easy to exploit and
relies on the “double extension” trick.
“hackers can add a second extension to a malicious file, upload it on
a Drupal site through oen upload field, and have the malicious
executed, “as per the report said on Saturday.
Example: A attacker makes a malicious file virus.php and changes a
name to virus.php.txt. when you upload virus.php.txt to the drupal site.
The file would be classified as a text file rather than a PHP file but
drupal would end up executing the malicious PHP code when trying
to read a text file.
The drupal team said Drupal core does not properly sanitize certainly
filenames on uploaded files, which can lead to files being interpreted
as the incorrect extension and served as the wrong MIME type or
executed as PHP for certain hosting configurations.
The Drupal team urges site admin to review recent uploads files with
two extensions. Pay specific attention to the following file
extensions, which should be considered dangerous even when
followed by one or more additional extensions:
This list is not exhaustive, so evaluate security concerns for other
unmunged extensions on a case-by-case basis. Said by Drupal team.
So install a update version of Drupal.