Project:
Date:
2020-November-18
Vulnerability:
Remote code execution
CVE IDs:
CVE-2020-13671
Description:
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.
Solution:
Install the latest version:
- If you are using Drupal 9.0, update to Drupal 9.0.8
- If you are using Drupal 8.9, update to Drupal 8.9.9
- If you are using Drupal 8.8 or earlier, update to Drupal 8.8.11
- If you are using Drupal 7, update to Drupal 7.74
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
Additionally, it's recommended that you audit all previously uploaded files to check for malicious extensions. Look specifically for files that include more than one extension, like .php.txt or .html.gif.
Reported By:
- ufku
- Mark Ferree
- Frédéric G. Marand
- Samuel Mortenson of the Drupal Security Team
- Derek Wright
Fixed By:
- Heine of the Drupal Security Team
- ufku
- Mark Ferree
- Michael Hess of the Drupal Security Team
- David Rothstein of the Drupal Security Team
- Peter Wolanin of the Drupal Security Team
- Jess of the Drupal Security Team
- Frédéric G. Marand
- Stefan Ruijsenaars
- David Snopek of the Drupal Security Team
- Rick Manelius
- David Strauss of the Drupal Security Team
- Samuel Mortenson of the Drupal Security Team
- Ted Bowman
- Alex Pott of the Drupal Security Team
- Derek Wright
- Lee Rowlands of the Drupal Security Team
- Kim Pepper
- Wim Leers
- Nate Lampton
- Drew Webber of the Drupal Security Team
- Fabian Franz
- Alex Bronstein of the Drupal Security Team
- Neil Drumm of the Drupal Security Team
- Joseph Zhao
- Ryan Aslett