Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.4096 Drupal core - Critical - Remote code execution - SA-CORE-2020-012 19 November 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Drupal Publisher: Drupal Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-13671 Original Bulletin: https://www.drupal.org/sa-core-2020-012 - --------------------------BEGIN INCLUDED TEXT-------------------- Drupal core - Critical - Remote code execution - SA-CORE-2020-012 Project: Drupal core Date: 2020-November-18 Security risk: Critical 17/25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default Vulnerability: Remote code execution CVE IDs: CVE-2020-13671 Description: Update November 18: Documented longer list of dangerous file extensions Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. Solution: Install the latest version: o If you are using Drupal 9.0, update to Drupal 9.0.8 o If you are using Drupal 8.9, update to Drupal 8.9.9 o If you are using Drupal 8.8 or earlier, update to Drupal 8.8.11 o If you are using Drupal 7, update to Drupal 7.74 Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Additionally, it's recommended that you audit all previously uploaded files to check for malicious extensions. Look specifically for files that include more than one extension, like .php.txt or .html.gif . Pay specific attention to the following file extensions, which should be considered dangerous even when followed by another extension: o phar o php o pl o py o cgi o asp o js o html o htm (Note that the list is not exhaustive.) Reported By: o ufku o Mark Ferree o Frederic G. Marand o Samuel Mortenson of the Drupal Security Team o Derek Wright Fixed By: o Heine of the Drupal Security Team o ufku o Mark Ferree o Michael Hess of the Drupal Security Team o David Rothstein of the Drupal Security Team o Peter Wolanin of the Drupal Security Team o Jess of the Drupal Security Team o Frederic G. Marand o Stefan Ruijsenaars o David Snopek of the Drupal Security Team o Rick Manelius o David Strauss of the Drupal Security Team o Samuel Mortenson of the Drupal Security Team o Ted Bowman o Alex Pott of the Drupal Security Team o Derek Wright o Lee Rowlands of the Drupal Security Team o Kim Pepper o Wim Leers o Nate Lampton o Drew Webber of the Drupal Security Team o Fabian Franz o Alex Bronstein of the Drupal Security Team o Neil Drumm of the Drupal Security Team o Joseph Zhao o Ryan Aslett - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX7XL2eNLKJtyKPYoAQgcMxAAnB9UX2ynJLk4rE6pPhckT9Wp9I/yop2l DZJ3zxZ+Yqh4fJbT0l0zt9pTxywBBC3d7hrNefS7QMmeweSJ3TX4fTVgDZpElW3s F6sLxMRL6/tmUXZZzLQtG09pmA35KGxwSa6wNJa6nYRO+M8DKI4Bjjwi9XckUz+o s1qISWMv4j4MD2AeGbZ30TeR/SO5Zu+ko9BlhXCJmDoz8Fy2VgbU4n/02hT7Cb41 5eoyL4xEXitvJ0VHg1BRliWRU67wfyGLl5pjQ+SLPO2Me2rMgouoLhPHLygzBj+9 L7dT4FY09tHOI8XA0iCUWGuSrxkPphfWf1Utpu8U1lfxSpaGvTqSexuClMxjnpJl 2qw0a2mvqJkpj9dQPRyIeJXUrD14pVX2WvBId6Uw2U/VpznYBt5zIcFQl/0sOAhR kyaT1des6wRHVMsoucGkWDrM7rhwsJ/6V6hbsdFUazFWuB6iwnm5zGj0l223Wq8k NSfuloI5c8MpjnW5ATZVBF5Zdk4L3Ru16fWT8D+XgxSNwm+1M695QVYJ2dPwKwo0 FpuNsBgtQxbXa7Z7to5FfcCHhWnuYWrtlFFY/mMGB51RNFPw8d3rsefSE9YRWfar ZZuYHGkaHd89SJX8eEfxnqU4yUdD01ILpihqPwpbzSX7XG0y+wxG1VQCZG3rf6J/ xfbdCU+OFrQ= =9rry -----END PGP SIGNATURE-----