Last week saw a release of security updates by Drupal’s team for their Content Management System (CMS) to patch a Double-Extension vulnerability – CVE-2020-13671. The vulnerability has been marked ‘Critical’ and can be exploited by attackers leading them to even takeover websites running on Drupal. The team has also recommended the admins of websites to check for any foul-play or vulnerability exploitation on their respective sites. 

Today, Drupal is the fourth most used CMS after WordPress, Joomla, and Shopify on the internet. Over a million sites globally depend on Drupal, which might be a lot less than WordPress, it is still a substantial number. Thus, a lot of websites are at risk, owing to the vulnerability. 

What do you need to know about the double-extension vulnerability – CVE-2020-13671?

 This double extension vulnerability relies on a far trivial concept & is thus too easy to exploit. All the attackers need to do is add a second extension to their malicious & upload it on Drupal via an open upload field. That’s it. 

What really happens is that Drupal’s standard release fails to sanitize the names of certain uploaded files. So, a malevolent file with two extensions, like .php.txt will actually be interpreted as the wrong extension, thus served as the incorrect MIME type or being executed as PHP for a few hosting configurations. 

Let’s take an example. Consider a certain malicious file names malware.php, which can be renamed as malware.php.txt. Once this file is uploaded on a Drupal site, the system would not classify it as a PHP file, but rather a text file. But when trying to read the file, Drupal would ultimately end up executing the PHP code in it. 

Also read,

The Drupal team has released updates to patch the vulnerability and suggested that the admins of Drupal sites upgrade their Drupal versions at the earliest. Depending on their current Drupal version, they can upgrade to any of the Drupal versions of 7.74, 8.8.9, 8.8.11 or 9.0.8.

Drupal suggests checking recent uploads for double-extensions

Even though the company has released updates, they still urge admins to audit any files uploaded previously to ensure there are no malicious extensions. The company has advised this as a preventive measure to ensure complete security of data.

The admins are requested to audit all previously uploaded files to look for files with more than a single extension in them without an underscore (_), like .php.txt or .html.gif. Files with the following extensions are especially dangerous for the users, whether they are followed by one or more extensions – 

  • phar
  • php
  • pl
  • py
  • cgi
  • asp
  • js
  • html
  • htm
  • phtml

Besides looking for these extensions, the company has also advised evaluating security concerns on a case-by-case basis for other unmunged extensions. 

It’s a trivial vulnerability!

The double-extension vulnerability is the simplest & the most trivial form of vulnerability to affect Drupal. It is a surprise that they weren’t already prepared for it. It is a common attack vector for CMS products to validate when they process uploaded files. 

Besides Drupal, double-extension has also been a concern for Windows users as malicious authors of malware distribute files with two extensions quite often, like file.png.exe. It helps these authors because Windows by default hides the last extension of the file. Thus, in the mentioned case, only the PNG extension will be visible while the EXE extension will be hidden. What this essentially means is that they can trap the users by making them believe that they are opening an image, while the run an executable file that will install malware on their system. 

Though there are no reports of the double-extension vulnerability being exploited in the wild yet, the company has still advised all the admins to take precautionary measures to ensure no double-extension files have been downloaded previously. Besides that, upgrading their Drupal version is another thing they can do to ensure complete safety of their data in the time to come.