{"id":38302,"date":"2020-11-20T17:55:00","date_gmt":"2020-11-20T17:55:00","guid":{"rendered":"http:\/\/6d712b66-ca2d-46ad-b6ff-bd43cd0d1f59"},"modified":"2020-11-20T17:55:00","modified_gmt":"2020-11-20T17:55:00","slug":"drupal-sites-vulnerable-to-double-extension-attacks","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/drupal-sites-vulnerable-to-double-extension-attacks\/","title":{"rendered":"Drupal sites vulnerable to double-extension attacks"},"content":{"rendered":"
\"Drupal\"<\/span>
<\/span> Image: Durpal Project \/\/ Composition: ZDNet <\/span><\/figcaption><\/figure>\n

The team behind the Drupal content management system (CMS) has released this week security updates to patch a critical vulnerability that is easy to exploit and can grant attackers full control over vulnerable sites.<\/p>\n

Drupal, which is currently the fourth most used CMS on the internet after WordPress, Shopify, and Joomla, gave the vulnerability a rating of “Critical<\/em>,” advising site owners to patch as soon as possible.<\/p>\n

Tracked as CVE-2020-13671<\/strong>, the vulnerability is ridiculously simple to exploit and relies on the good ol’ “double extension” trick.<\/p>\n

Attackers can add a second extension to a malicious file, upload it on a Drupal site through open upload fields, and have the malicious executed.<\/p>\n

For example, a malicious file like malware.php<\/em> could be renamed to malware.php.txt<\/em>. When uploaded on a Drupal site, the file would be classified as a text file rather than a PHP file but Drupal would end up executing the malicious PHP code when trying the read the text file.<\/p>\n

Drupal devs urge site admins to review recent uploads<\/h3>\n

Normally, files with two extensions would be detected, but in a security advisory<\/a> published on Wednesday, Drupal devs said the vulnerability resides in the fact that the Drupal CMS does not sanitize “certain” file names, allowing some malicious files to slip through.<\/p>\n

Drupal devs say this “can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.”<\/p>\n

<\/section>\n

Security updates were released for the Drupal 7, 8, and 9 versions to correct the file upload sanitization procedures.<\/p>\n

But the Drupal team also urges site admins to review recent uploads for files with two extensions; in case the bug has been discovered and exploited by attackers before the patch.<\/p>\n

“Pay specific attention to the following file extensions, which should be considered dangerous even when followed by one or more additional extensions:<\/p>\n