Drupal Releases Patch for Double Extension Attack Vulnerability

Image: Drupal Project // Composition: ZDNet.

The team behind the Drupal CMS released security updates this week to fix a critical, easily exploitable vulnerability that could have given attackers complete control over vulnerable sites.

Drupal, which is currently the fourth most used CMS on the internet (after WordPress, Shopify and Joomla), has assigned the vulnerability a “Critical” rating, advising site owners to apply patches as soon as possible.

An easily exploitable vulnerability

Named CVE-2020-13671, the vulnerability is ridiculously simple to exploit and relies on the good old “double extension” trick.

All an attacker would need to do is add a second extension to a malicious file, upload it to a Drupal site through open upload boxes, and have the malware run.

For example, an attacker could rename malware “malware.php” to “malware.php.txt”. Once uploaded to a Drupal site, the file will then be classified as a text file, not a PHP file. However, when Drupal tries to read the text file, it will end up executing the malicious PHP code.

Misinterpretation of the extension

Normally, files containing two extensions are detected. But, in a security note published on Wednesday, Drupal developers say the vulnerability lies in the fact that the Drupal CMS does not clean “certain” filenames, allowing malware to slip through the cracks.

According to the latter, this situation “may lead to the files being considered the wrong extension, and serving the wrong MIME type or being executed in PHP for certain hosting configurations”.

Security updates have been released for Drupal versions 7, 8, and 9 to fix file upload sanitization procedures.

List of plugins to watch out for

But the Drupal team also warns site administrators to check recent uploads of files with two extensions, in case the security flaw was discovered and exploited by attackers before the patch was released.

“Pay particular attention to the following file extensions, which should be considered dangerous even if followed by one or more other extensions:”

  • phar
  • php
  • please
  • py
  • cgi
  • asp
  • js
  • html
  • html
  • phtml

“This list is not exhaustive, so the security issues for other non-merged extensions must be assessed on a case-by-case basis”, specify the developers of Drupal.

A trick as old as the world

It is surprising that such a bug was discovered on Drupal. Double extending is an age-old trick, and it’s one of the first attack vectors CMSs check when dealing with load fields.

The problem mainly concerns Windows users, since malware is often distributed with two extensions, such as file.png.exe. Windows hides the last extension of a file by default, so the .exe extension does not appear. The user therefore sees only the first extension, thinking it is an image file while launching an executable file which ends up installing malware.

Source : ZDNet.com

We wish to thank the writer of this write-up for this outstanding content

Drupal Releases Patch for Double Extension Attack Vulnerability


Check out our social media profiles as well as other pages related to it.https://go-dedicated.com/related-pages/