Project: 
Drupal core
Date: 
2020-November-18
Security risk: 
Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default
Vulnerability: 
Remote code execution
CVE IDs: 
CVE-2020-13671
Description: 

Update November 18: Documented longer list of dangerous file extensions

Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.

Additionally, it's recommended that you audit all previously uploaded files to check for malicious extensions. Look specifically for files that include more than one extension, like filename.php.txt or filename.html.gif, without an underscore (_) in the extension. Pay specific attention to the following file extensions, which should be considered dangerous even when followed by one or more additional extensions:

  • phar
  • php
  • pl
  • py
  • cgi
  • asp
  • js
  • html
  • htm
  • phtml

This list is not exhaustive, so evaluate security concerns for other unmunged extensions on a case-by-case basis.

Reported By: 
Fixed By: 
https://www.drupal.org/sa-core-2020-012