The team behind the Drupal content management system (CMS) has released this week security updates to patch a critical vulnerability that is easy to exploit and can grant attackers full control over vulnerable sites.
Drupal, which is currently the fourth most used CMS on the internet after WordPress, Shopify, and Joomla, gave the vulnerability a rating of "Critical," advising site owners to patch as soon as possible.
Tracked as CVE-2020-13671, the vulnerability is ridiculously simple to exploit and relies on the good ol' "double extension" trick.
Attackers can add a second extension to a malicious file, upload it on a Drupal site through open upload fields, and have the malicious executed.
For example, a malicious file like malware.php could be renamed to malware.php.txt. When uploaded on a Drupal site, the file would be classified as a text file rather than a PHP file but Drupal would end up executing the malicious PHP code when trying the read the text file.
Drupal devs urge site admins to review recent uploads
Normally, files with two extensions would be detected, but in a security advisory[1] published on Wednesday, Drupal devs said the vulnerability resides in the fact that the Drupal CMS does not sanitize "certain" file names, allowing some malicious files to slip through.
Drupal devs say this "can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations."
Security updates were released for the Drupal 7, 8, and 9 versions to correct the file upload sanitization procedures.
But the Drupal team also urges site admins to review recent uploads for files with two extensions; in case the bug has been discovered and exploited by attackers