, Drupal sites vulnerable to double-extension attacks

Image: Durpal Project // Composition: ZDNet

The team behind the Drupal content management system (CMS) has released this week security updates to patch a critical vulnerability that is easy to exploit and can grant attackers full control over vulnerable sites.

Drupal, which is currently the fourth most used CMS on the internet after WordPress, Shopify, and Joomla, gave the vulnerability a rating of “Critical,” advising site owners to patch as soon as possible.

Tracked as CVE-2020-13671, the vulnerability is ridiculously simple to exploit and relies on the good ol’ “double extension” trick.

Attackers can add a second extension to a malicious file, upload it on a Drupal site through open upload fields, and have the malicious executed.

For example, a malicious file like malware.php could be renamed to malware.php.txt. When uploaded on a Drupal site, the file would be classified as a text file rather than a PHP file but Drupal would end up executing the malicious PHP code when trying the read the text file.

Drupal devs urge site admins to review recent uploads

Normally, files with two extensions would be detected, but in a security advisory published on Wednesday, Drupal devs said the vulnerability resides in the fact that the Drupal CMS does not sanitize “certain” file names, allowing some malicious files to slip through.

Drupal devs say this “can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.”

Security updates were released for the Drupal 7, 8, and 9 versions to correct the file upload sanitization procedures.

But the Drupal team also urges site admins to review recent uploads for files with two extensions; in case the bug has been discovered and exploited by attackers before the patch.

“Pay specific attention to the following file extensions, which should be considered dangerous even when followed by one or more additional extensions:

  • phar
  • php
  • pl
  • py
  • cgi
  • asp
  • js
  • html
  • htm
  • phtml

“This list is not exhaustive, so evaluate security concerns for other unmunged extensions on a case-by-case basis,” Drupal devs said.

It is surprising that such a bug was discovered in Drupal. The double-extension trick is one of the oldest tricks in the book, and it’s one of the main attack vectors that CMS products validate when processing upload fields.

The issue has also been a major issue for Windows users, where malware authors often distribute files with two extensions, such as file.png.exe.

Because Windows hides the last file extension by default, the EXE extensions is hidden while only the first one is shown, tricking users into believing they’re opening an image but, in fact, are actually running an executable file that eventually installs malware.