Drupal-based sites open to attack via double extension files (CVE-2020-13671)

Admins of sites running on Drupal are urged to plug a critical security hole (CVE-2020-13671) that may be exploited by attackers to take over vulnerable sites.


They have also been urged to check that the vulnerability hasn’t already been covertly leveraged by attackers.

About the vulnerability (CVE-2020-13671)

CVE-2020-13671 exists because Drupal core (the standard release of Drupal) does not properly sanitize certain filenames on uploaded files.

A malicious file with a double extension (e.g., php.txt) could be “interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations,” the Drupal security team noted.

They have provided security updates with the fix and recommended admins to upgrade to Drupal version 9.0.8, 8.9.9, 8.8.11 or 7.74, depending on which Drupal branch they are currently using.

The team did not say that they aware of the vulnerability being actively exploited, but recommended admins to audit all previously uploaded files to check for malicious extensions.

“Look specifically for files that include more than one extension, like filename.php.txt or filename.html.gif, without an underscore (_) in the extension. Pay specific attention to the following file extensions, which should be considered dangerous even when followed by one or more additional extensions: phar, php, pl, py, cgi, asp, js, html, htm, phtml. This list is not exhaustive, so evaluate security concerns for other unmunged extensions on a case-by-case basis,” they advised.

Drupal-based sites form a big target

Drupal vulnerabilities are often exploited by attackers. Drupal is free and open-source content management system, and is the fourth most widely used CMS after WordPress, Shopify and Joomla.

But though the number of sites depending on Drupal is much, much smaller that the number of WordPress-based sites, it is still over a million.

Admins should also be aware that while Drupal v7.x is still maintained and receives security updates, it will reach end-of-life in November of 2021, so those who use it are urged to start planning the upgrade to a newer version, preferably 9.x.

UPDATE (November 24, 2020, 11:20 a.m. PT):

Drupal v7.x EOL has been extended until November 28, 2022, “given the impact of COVID-19 on budgets and businesses.”

Don't miss