Drupal sites vulnerable to double-extension attacks

Drupal

Symbol: Durpal Undertaking // Composition: ZDNet

The group in the back of the Drupal content material control device (CMS) has launched this week safety updates to patch a crucial vulnerability this is simple to milk and will grant attackers complete keep watch over over susceptible websites.

Drupal, which is recently the fourth maximum used CMS on the net after WordPress, Shopify, and Joomla, gave the vulnerability a ranking of “Vital,” advising website online house owners to patch once conceivable.

Tracked as CVE-2020-13671, the vulnerability is ridiculously easy to milk and depends on the great ol’ “double extension” trick.

Attackers can upload a 2nd extension to a malicious report, add it on a Drupal website online via open add fields, and feature the malicious done.

For instance, a malicious report like malware.php might be renamed to malware.php.txt. When uploaded on a Drupal website online, the report can be categorized as a textual content report fairly than a PHP report however Drupal would finally end up executing the malicious PHP code when making an attempt the learn the textual content report.

Drupal devs urge website online admins to check contemporary uploads

Typically, information with two extensions can be detected, however in a safety advisory printed on Wednesday, Drupal devs mentioned the vulnerability is living in the truth that the Drupal CMS does now not sanitize “sure” report names, permitting some malicious information to slide via.

Drupal devs say this “may end up in information being interpreted because the unsuitable extension and served because the improper MIME kind or done as PHP for sure web hosting configurations.”

Safety updates had been launched for the Drupal 7, eight, and nine variations to proper the report add sanitization procedures.

However the Drupal group additionally urges website online admins to check contemporary uploads for information with two extensions; in case the worm has been came upon and exploited by means of attackers sooner than the patch.

“Pay explicit consideration to the next report extensions, which must be thought to be unhealthy even if adopted by means of a number of further extensions:

  • phar
  • php
  • pl
  • py
  • cgi
  • asp
  • js
  • html
  • htm
  • phtml

“This listing isn’t exhaustive, so overview safety considerations for different unmunged extensions on a case-by-case foundation,” Drupal devs mentioned.

It’s sudden that this kind of worm was once came upon in Drupal. The double-extension trick is likely one of the oldest tips within the ebook, and it is one of the crucial major assault vectors that CMS merchandise validate when processing add fields.

The problem has additionally been a big factor for Home windows customers, the place malware authors incessantly distribute information with two extensions, corresponding to report.png.exe.

As a result of Home windows hides the closing report extension by means of default, the EXE extensions is hidden whilst simplest the primary one is proven, tricking customers into believing they are opening a picture however, in reality, are in reality working an executable report that at last installs malware.

Leave a Reply

Your email address will not be published. Required fields are marked *