Drupal has released a security update that fixes a Critical RCE vulnerability in multiple versions of Drupal.
A remote attacker could exploit this vulnerability to compromise an affected system.
The Drupal update SA-CORE-2020-012 patches a Critical remote code execution (RCE) vulnerability CVE-2020-13671. The issue affects Drupal 7, 8.8 and earlier, 8.9 and and 9.0.
“Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations,” Drupal stated in the advisory.
Moreover, Drupal advised system admins check out any unauthorized changes to uploaded files and extensions:
“It’s recommended that you audit all previously uploaded files to check for malicious extensions. Look specifically for files that include more than one extension, like filename.php.txt or filename.html.gif, without an underscore (_) in the extension.”
Drupal added you should pay special attention to the following file extensions: phar, php, pl, py, cgi, asp, js, html, htm and phtml.