November 26, 2020

CVE-2020-13671: Drupal Remote Code Execution Vulnerability Alert

1 min read
On November 18, 2020, Drupal issued a risk notice for Drupal code execution vulnerability, the vulnerability number is CVE-2020-13671. The security risk is Critical. An unauthorized remote attacker can cause arbitrary code execution by uploading a file with a specific file name.
Drupal Remote Code Execution

Vulnerability Detail

Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.

Affected version

  • Drupal: 9.0
  • Drupal: 8.9
  • Drupal: 8.8.x
  • Drupal: 7

Unaffected version

Solution

In this regard, we recommend that users upgrade Drupal to the latest version in time.
Temporary repair suggestions

it’s recommended that you audit all previously uploaded files to check for malicious extensions. Look specifically for files that include more than one extension, like filename.php.txt or filename.html.gif, without an underscore (_) in the extension. Pay specific attention to the following file extensions, which should be considered dangerous even when followed by one or more additional extensions:

  • phar
  • php
  • pl
  • py
  • cgi
  • asp
  • js
  • html
  • htm
  • phtml

This list is not exhaustive, so evaluate security concerns for other unmunged extensions on a case-by-case basis.