I. Overview

Drupal has officially reported a remote code execution vulnerability (CVE-2020-13671) that can be caused by uploaded files. Drupal core does not properly sanitize certain file names on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.

If you are a Drupal user, check your system and implement timely security hardening.

References:

https://www.drupal.org/sa-core-2020-012

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Drupal 9.0.x versions earlier than 9.0.8

Drupal 8.9.x versions earlier than 8.9.9

Drupal 8.8.x versions earlier than 8.8.11

Drupal 7.x versions earlier than 7.74

Secure versions:

Drupal 9.0.8

Drupal 8.9.9

Drupal 8.8.11

Drupal 7.74

IV. Vulnerability Handling

1. This vulnerability has been fixed in the latest official versions. If your service version falls into the affected range, upgrade it to a latest secure version.

https://www.drupal.org/project/drupal/releases

2. Check the files uploaded to the Drupal directory, especially the files with multiple extension names, such as filename.php.txt and filename.html.gif.

The Web Application Firewall (WAF) service, provided by HUAWEI CLOUD, can defend against attacks exploiting this vulnerability. If you are a WAF user, set the basic web protection status to Block, and enable Webshell Detection in the Advanced Settings. For details, see Configuring Basic Web Protection Rules.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.