page contents Drupal sites vulnerable to double-extension attacks – The News Headline

Drupal sites vulnerable to double-extension attacks


Symbol: Durpal Venture // Composition: ZDNet

The workforce at the back of the Drupal content material control device (CMS) has launched this week safety updates to patch a important vulnerability this is simple to milk and will grant attackers complete regulate over prone websites.

Drupal, which is lately the fourth maximum used CMS on the web after WordPress, Shopify, and Joomla, gave the vulnerability a ranking of “Essential,” advising web site house owners to patch once imaginable.

Tracked as CVE-2020-13671, the vulnerability is ridiculously easy to milk and depends on the nice ol’ “double extension” trick.

Attackers can upload a 2d extension to a malicious record, add it on a Drupal web site thru open add fields, and feature the malicious carried out.

For instance, a malicious record like malware.php might be renamed to malware.php.txt. When uploaded on a Drupal web site, the record could be labeled as a textual content record moderately than a PHP record however Drupal would finally end up executing the malicious PHP code when attempting the learn the textual content record.

Drupal devs urge web site admins to study contemporary uploads

In most cases, recordsdata with two extensions could be detected, however in a safety advisory revealed on Wednesday, Drupal devs stated the vulnerability is living in the truth that the Drupal CMS does no longer sanitize “positive” record names, permitting some malicious recordsdata to slide thru.

Drupal devs say this “may end up in recordsdata being interpreted because the fallacious extension and served because the flawed MIME sort or carried out as PHP for positive web hosting configurations.”

Safety updates had been launched for the Drupal 7, eight, and nine variations to right kind the record add sanitization procedures.

However the Drupal workforce additionally urges web site admins to study contemporary uploads for recordsdata with two extensions; in case the trojan horse has been found out and exploited via attackers ahead of the patch.

“Pay explicit consideration to the next record extensions, which will have to be thought to be bad even if adopted via a number of further extensions:

  • phar
  • php
  • pl
  • py
  • cgi
  • asp
  • js
  • html
  • htm
  • phtml

“This record isn’t exhaustive, so assessment safety issues for different unmunged extensions on a case-by-case foundation,” Drupal devs stated.

It’s sudden that this type of trojan horse used to be found out in Drupal. The double-extension trick is without doubt one of the oldest methods within the ebook, and it is some of the primary assault vectors that CMS merchandise validate when processing add fields.

The problem has additionally been a significant factor for Home windows customers, the place malware authors incessantly distribute recordsdata with two extensions, equivalent to record.png.exe.

As a result of Home windows hides the final record extension via default, the EXE extensions is hidden whilst best the primary one is proven, tricking customers into believing they are opening a picture however, in reality, are if truth be told working an executable record that at last installs malware.

Leave a Reply

Your email address will not be published. Required fields are marked *