Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.4096
Drupal core - Critical - Remote code execution - SA-CORE-2020-012
19 November 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Drupal
Publisher: Drupal
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-13671
Original Bulletin:
https://www.drupal.org/sa-core-2020-012
- --------------------------BEGIN INCLUDED TEXT--------------------
Drupal core - Critical - Remote code execution - SA-CORE-2020-012
Project: Drupal core
Date: 2020-November-18
Security risk: Critical 17/25
AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default
Vulnerability: Remote code execution
CVE IDs: CVE-2020-13671
Description:
Update November 18: Documented longer list of dangerous file extensions
Drupal core does not properly sanitize certain filenames on uploaded files,
which can lead to files being interpreted as the incorrect extension and served
as the wrong MIME type or executed as PHP for certain hosting configurations.
Solution:
Install the latest version:
o If you are using Drupal 9.0, update to Drupal 9.0.8
o If you are using Drupal 8.9, update to Drupal 8.9.9
o If you are using Drupal 8.8 or earlier, update to Drupal 8.8.11
o If you are using Drupal 7, update to Drupal 7.74
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security
coverage.
Additionally, it's recommended that you audit all previously uploaded files to
check for malicious extensions. Look specifically for files that include more
than one extension, like .php.txt or .html.gif . Pay specific attention to the
following file extensions, which should be considered dangerous even when
followed by another extension:
o phar
o php
o pl
o py
o cgi
o asp
o js
o html
o htm
(Note that the list is not exhaustive.)
Reported By:
o ufku
o Mark Ferree
o Frederic G. Marand
o Samuel Mortenson of the Drupal Security Team
o Derek Wright
Fixed By:
o Heine of the Drupal Security Team
o ufku
o Mark Ferree
o Michael Hess of the Drupal Security Team
o David Rothstein of the Drupal Security Team
o Peter Wolanin of the Drupal Security Team
o Jess of the Drupal Security Team
o Frederic G. Marand
o Stefan Ruijsenaars
o David Snopek of the Drupal Security Team
o Rick Manelius
o David Strauss of the Drupal Security Team
o Samuel Mortenson of the Drupal Security Team
o Ted Bowman
o Alex Pott of the Drupal Security Team
o Derek Wright
o Lee Rowlands of the Drupal Security Team
o Kim Pepper
o Wim Leers
o Nate Lampton
o Drew Webber of the Drupal Security Team
o Fabian Franz
o Alex Bronstein of the Drupal Security Team
o Neil Drumm of the Drupal Security Team
o Joseph Zhao
o Ryan Aslett
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX7XL2eNLKJtyKPYoAQgcMxAAnB9UX2ynJLk4rE6pPhckT9Wp9I/yop2l
DZJ3zxZ+Yqh4fJbT0l0zt9pTxywBBC3d7hrNefS7QMmeweSJ3TX4fTVgDZpElW3s
F6sLxMRL6/tmUXZZzLQtG09pmA35KGxwSa6wNJa6nYRO+M8DKI4Bjjwi9XckUz+o
s1qISWMv4j4MD2AeGbZ30TeR/SO5Zu+ko9BlhXCJmDoz8Fy2VgbU4n/02hT7Cb41
5eoyL4xEXitvJ0VHg1BRliWRU67wfyGLl5pjQ+SLPO2Me2rMgouoLhPHLygzBj+9
L7dT4FY09tHOI8XA0iCUWGuSrxkPphfWf1Utpu8U1lfxSpaGvTqSexuClMxjnpJl
2qw0a2mvqJkpj9dQPRyIeJXUrD14pVX2WvBId6Uw2U/VpznYBt5zIcFQl/0sOAhR
kyaT1des6wRHVMsoucGkWDrM7rhwsJ/6V6hbsdFUazFWuB6iwnm5zGj0l223Wq8k
NSfuloI5c8MpjnW5ATZVBF5Zdk4L3Ru16fWT8D+XgxSNwm+1M695QVYJ2dPwKwo0
FpuNsBgtQxbXa7Z7to5FfcCHhWnuYWrtlFFY/mMGB51RNFPw8d3rsefSE9YRWfar
ZZuYHGkaHd89SJX8eEfxnqU4yUdD01ILpihqPwpbzSX7XG0y+wxG1VQCZG3rf6J/
xfbdCU+OFrQ=
=9rry
-----END PGP SIGNATURE-----