The team that makes the Drupal CMS (Content Management System) has released security updates to fix a critical vulnerability, giving attackers full control over Drupal sites. Drupal is the fourth most-used CMS on the internet, trailing WordPress, Shopify, and Joomla.
The vulnerability was rated ‘Critical,’ and site owners using Drupal have all been advised to run the patch as soon as possible.
The vulnerability was named CVE-2020-13671 for tracking purposes. It was discovered that the flaw is ridiculously easy to crack. The operation of breaching it relies on a 90’s trick called the “double extension.”
The ’90s would like their vulnerability back
Hackers add a second extension to a malicious file, upload the file into a Drupal site using the upload fields, and can then execute the malicious file without any additional work.
For instance, a malicious malware.php file can be uploaded easily by renaming it malware.php.doc. When it is uploaded on a Drupal site, the file will be classified as a text file instead of a PHP file, causing Drupal to execute the malware if it attempts to read the text file.
Drupal has therefore spoken to site admins to review recent uploads for any suspicious files that may be malware masquerading as other file types.
A simple but fatal flaw
Under normal circumstances, the two extensions would be detectable. Drupal developers say that the vulnerability is present because Drupal CMS does not sanitize some file names, allowing hackers to slip them through by merely renaming them as different file types.
The developers say that the files can be misinterpreted because of the extension confusion. It is then served as the wrong MIME type and executed as PHP.
Security updates were released for Drupal 7,8, and 9 to correct the flaw.