Drupal Sites Vulnerable to Critical Security Flaw (CVE-2020-13671)

Drupal Sites Vulnerable to Critical Security Flaw (CVE-2020-13671) article imageIs your website running on Drupal? If so, beware, as security researchers discovered a security weakness in the system that needs to be patched immediately. The vulnerability, CVE-2020-13671 is critical and can lead to site takeovers if exploited successfully. If your website is indeed running on Drupal, you should also monitor it for attack attempts leveraging the flaw.

CVE-2020-13671 Critical Hole in Drupal Sites

According to its official description, the flaw exists because the Drupal core in its standard release doesn’t correctly sanitize specific filenames on uploaded files. This vulnerable condition could lead to files being interpreted as having an incorrect extension and served as the wrong MIME type. Hackers could also execute these files as PHP for specific hosting configurations. The CVE-2020-13671 vulnerability affects Drupal Core 9.0 versions before 9.0.8, 8.9 versions before 8.9, 8.8 versions before 8.8.11, and 7 versions before 7.74.

In other words, a malicious file can also be interpreted in the way described above. Fortunately, fixes are already available, and website admins should upgrade their Drupal configurations as soon as possible. Drupal hasn’t confirmed whether the flaw has been abused in the wild, but admins should audit previously uploaded files to check for malicious extensions. If you don’t know where to look, look for files that include more than one extension, such as filename.php.txt or filename.html.gif, without an underscore (_) in the extension.

“Pay specific attention to the following file extensions, which should be considered dangerous even when followed by one or more additional extensions: phar, php, pl, py, cgi, asp, js, html, htm, phtml. This list is not exhaustive, so evaluate security concerns for other unmunged extensions on a case-by-case basis,” Drupal said in its advisory.

More about Drupal

Drupal is a free and open-source CMS. It is the fourth most common content management system after WordPress, Shopify, and Joomla. Attacks against Drupal-running sites have happened in the past. If your website runs on this CMS, beware that Drupal version 7.x will reach its end-of-life in November next year. You may want to start planning your upgrade before it’s too late.

Recently, we wrote about some vulnerabilities that endangered millions of WordPress sites. You should remember to check all installed plugins, widgets, and other apps, and make sure they are running on the latest possible versions. The rule applies to any content management system.

Researched and created by:
Krum Popov
Passionate web entrepreneur, has been crafting web projects since 2007. In 2020, he founded HTH.Guide — a visionary platform dedicated to streamlining the search for the perfect web hosting solution. Read more...
Technically reviewed by:
Metodi Ivanov
Seasoned web development expert with 8+ years of experience, including specialized knowledge in hosting environments. His expertise guarantees that the content meets the highest standards in accuracy and aligns seamlessly with hosting technologies. Read more...

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree
At HTH.Guide, we offer transparent web hosting reviews, ensuring independence from external influences. Our evaluations are unbiased as we apply strict and consistent standards to all reviews.
While we may earn affiliate commissions from some of the companies featured, these commissions do not compromise the integrity of our reviews or influence our rankings.
The affiliate earnings contribute to covering account acquisition, testing expenses, maintenance, and development of our website and internal systems.
Trust HTH.Guide for reliable hosting insights and sincerity.