The team behind Drupal Content Management System (CMS) released some security updates this week to fix a critical vulnerability that is easy to exploit and can give attackers full control of vulnerable sites.
Drupal, which is currently the fourth most used CMS on the internet after WordPress, Shopify and Joomla, gave the vulnerability a "Critical" rating, advising site owners to update their systems as soon as possible.
The vulnerability named CVE-2020-13671 is based on the "double extension" trick.
Intruders can add a second extension to a malicious file, upload it to a Drupal site via open upload fields, and execute the malicious file.
Normally, files with two extensions should be located, but in a security advisory posted Wednesday, Drupal devs said that vulnerability lies in the fact that the Drupal CMS does not control some file names, allowing some malicious files to pass.
Security updates for Drupal 7, 8 and 9 have been released
However, in addition to updates, the Drupal team urges site administrators to check recent uploads for two-file extensions if the bug has been discovered and exploited by some. hacker before updating the code.
“Pay close attention to the following file extensions, which should be considered dangerous even when followed by one or more additional extensions:
- phar
- php
- pl
- py
- cgi
- asp
- js
- html
- htm
- phtml
It is amazing that such an error was discovered in Drupal. The trick of double-extension is one of the oldest tricks.
The issue also created a significant problem for its users Windows, where malware creators often distribute files with two extensions, such as the.png.exe file.
Because Windows hides the latter extension of the file by default, the EXE extensions are hidden while only the first one is displayed, deceiving users into believing that they are opening one picture, but actually run an executable file that eventually installs malware.
Greek
Chinese (Simplified)
English
Russian κυκλοφόρησε αυτήν την εβδομάδα κάποιες ενημερώσεις ασφαλείας){kind=link}