On 18 November 2020, Drupal released an advisory for critical Remote Code Execution Vulnerability (CVE-2020-13671). Successful exploitation of this vulnerability may allow attackers to take over vulnerable sites.
The bug exists in Drupal core due to improper sanitization of certain filenames on uploaded files. This results in the files being interpreted as an invalid extension and can be treated as a wrong MIME type or for specific hosting configurations executed as PHP.
The Drupal security team recommended in the advisory to “audit all previously uploaded files to check for malicious extensions. Look specifically for files that include more than one extension, like filename.php.txt or filename.html.gif, without an underscore (_) in the extension.”
The Drupal security team suggested that users pay specific attention to the following file extensions and check if these extensions are followed by one or more additional extensions: phar, php, pl, py, cgi, asp, js, html, htm, phtml.
- Drupal Core 9.0 versions before 9.0.8
- Drupal Core 8.9 versions before 8.9.9
- Drupal Core 8.8 versions before 8.8.11
- Drupal Core 7.x versions before 7.74
Qualys customers can scan their network with QID 13314 to detect vulnerable assets. Kindly continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.