Thursday, January 21, 08:16
Home security Drupal websites are vulnerable to double-extension attacks!

Drupal websites are vulnerable to double-extension attacks!

The team behind Drupal Content Management System (CMS) released some security updates this week to fix a critical vulnerability that is easy to exploit and can give attackers full control of vulnerable sites.

Drupal, which is currently the fourth most used CMS on the internet after WordPress, Shopify and Joomla, gave the vulnerability a "Critical" rating, advising site owners to update their systems as soon as possible.

The vulnerability named CVE-2020-13671 is based on the "double extension" trick.

Intruders can add a second extension to a malicious file, upload it to a Drupal site via open upload fields, and execute the malicious file.

Normally, files with two extensions should be located, but in a security advisory posted Wednesday, Drupal devs said that vulnerability lies in the fact that the Drupal CMS does not control some file names, allowing some malicious files to pass.

Security updates for Drupal 7, 8 and 9 have been released

However, in addition to updates, the Drupal team urges site administrators to check recent uploads for two-file extensions if the bug has been discovered and exploited by some. hacker before updating the code.

“Pay close attention to the following file extensions, which should be considered dangerous even when followed by one or more additional extensions:

  • phar
  • php
  • pl
  • py
  • cgi
  • asp
  • js
  • html
  • htm
  • phtml

It is amazing that such an error was discovered in Drupal. The trick of double-extension is one of the oldest tricks.

The issue also created a significant problem for its users Windows, where malware creators often distribute files with two extensions, such as the.png.exe file.

Because Windows hides the latter extension of the file by default, the EXE extensions are hidden while only the first one is displayed, deceiving users into believing that they are opening one picture, but actually run an executable file that eventually installs malware.


Please enter your comment!
Please enter your name here

Teo Ehc
Be the limited edition.



Donald Trump: Thanks to Lil Wayne, not to Julian Assange!

Outgoing US President Donald Trump will award today thanks to rapper Lil Wayne in a final wave of pardon that ...

NASA: Uses AI to locate new craters on Mars Τα τελευταία 15 χρόνια, το Mars Reconnaissance Orbiter της NASA περιφέρεται γύρω από τον Άρη μελετώντας...

Windows 10: How to view recently installed updates

Microsoft frequently updates Windows 10, but it is not always clear when each update is installed. Fortunately, there are two easy ways ...

Lorex launches a bell with a 2K camera that detects faces

Lorex launches a new device for smart homes - the bell called "2K QHD Wired Video Doorbell with Person ...

Security awareness is not enough to deal with threats

Significant changes have been made in recent years in dealing with cyber threats. The human factor is now taken seriously in safety. For example,...

MeWe: Gained 2,5 million users in one week!

The social networking platform MeWe saw the number of its users increase significantly after the WhatsApp scandal.

Fake collaboration apps "infect" employees and steal data!

With the outbreak of the COVID-19 pandemic, a large percentage of organizations have experienced malware attacks on remote devices as employees work ...

LG is considering leaving the smartphone sector in 2021

After losing about $ 4,5 billion in the last five years, the smartphone company LG struggled to compete with its rivals. He...

Steve Jobs: Statue in the National Garden of American Heroes by Trump!

The American government decided to place a statue in honor of the co-founder and former CEO of Apple, Steve Jobs, in the National Park ...

Terminology 1.9: New Linux Terminal Emulator with more colors

Boris Faure announced a new version of Terminology 1.9 of the terminal emulator for Linux operating systems. For those who do not ...