HomesecurityDrupal: Security updates to deal with exploits

Drupal: Security updates to deal with exploits

The developers of the content management system Drupal (CMS) were released emergency updates security due to the availability of some exploits, which may endanger the systems.

Drupal exploits
Drupal: Security updates to deal with exploits

The basic ones updates released for Drupal 7, 8.8, 8.9 and 9.0 on November 25 face two vulnerabilities that affect the PEAR Archive_Tar, a third-party library designed for handling files .tar in PHP.

Updates fix two vulnerabilities named CVE-2020-28948 and CVE-2020-28949.

Exploitation involves manipulating filenames and can allow an attacker to execute PHP code or overwrite files, including important files such as / etc / passwd and / etc / shadow.

The researcher who mentioned the vulnerabilities, published and proof-of-concept (PoC) exploits, That's why Drupal developers decided to release special updates for them users, to protect them from a possible attack.

According to the update schedule, the patch released on November 25 is not a basic update. However, this was necessary because there are known exploits that make certain Drupal configurations vulnerable to attacks.

Security updates
Drupal: Security updates to deal with exploits

Drupal developers have pointed out that exploitation is possible if the CMS is configured to allow the uploading of .tar, .tar.gz, .bz2 or .tlz files. Last year, similar vulnerabilities related to the same PEAR library were fixed. The developers said that the current vulnerabilities are not related to last year, although the same configuration changes may alleviate the problem. One of the tips that experts give to users is to prohibit untrusted users from downloading archives with the above extensions.

This is the sixth update security released this year for the Drupal CMS. The fifth patch was also released this month to fix one vulnerability which allowed an attacker to execute code remotely.

Source: Security Week

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Digital Fortress
Digital Fortresshttps://www.secnews.gr
Pursue Your Dreams & Live!
spot_img

LIVE NEWS