CVE-2020-36193: Drupal Directory Traversal Vulnerability Alert

Drupal is a free and open-source web content management framework written in PHP and distributed under the GNU General Public License. Drupal provides a back-end framework for at least 12% of the top 10,000 websites worldwide – ranging from personal blogs to corporate, political, and government sites. On January 20, Drupal officially released a security update to fix the Drupal remote code execution vulnerability (CVE-2020-36193). Attackers can use high-risk vulnerabilities to traverse directories, remote code execution, etc., to gain control of the server, which poses a greater security risk.

Vulnerability Detail

Drupal uses pear Archive_Tar as a dependent library. When processing compressed packages in formats such as .tar, .tar.gz, .bz2, or .tlz, due to the lack of strict filtering, attackers can construct compressed packages containing symbolic links and upload them, which may lead to the existence of directory traversal vulnerabilities, and even remote code execution vulnerabilities.

Affected version

  • Drupal < 9.1.3
  • Drupal < 9.0.11
  • Drupal < 8.9.13
  • Drupal < 7.78

Solution

Upgrade Drupal to the latest version. You can set Drupal to prohibit users from uploading compressed packages in formats such as .tar, .tar.gz, .bz2, .tlz, etc.