Drupal emergency updates fix critical arbitrary PHP code execution

Drupal has released emergency security updates to fix a critical flaw with known exploits that could allow for arbitrary PHP code execution.

Drupal has released emergency security updates to address a critical vulnerability with known exploits that could be exploited to achieve arbitrary PHP code execution on some CMS versions.

The Drupal project uses the PEAR Archive_Tar library that was recently updated to address the CVE-2020-28948 and CVE-2020-28949.

As a consequence, multiple vulnerabilities impact Drupal installs when they are configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them.

“Drupal has released security updates to address vulnerabilities in Drupal 7, 8.8 and earlier, 8.9, and 9.0. An attacker could exploit this vulnerability to take control of an affected system.” reads the advisory published by CISA.

“The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Drupal Advisory SA-CORE-2020-013 and apply the necessary updates.”

“According to the regular security release window schedule, November 25th would not typically be a core security window,” reads the security advisory published by Drupal.

“However, this release is necessary because there are known exploits for one of core’s dependencies and some configurations of Drupal are vulnerable.”

Drupal released the following updates to address the issues:

• Drupal 9.0 users should update to Drupal 9.0.9
• Drupal 8.9 users should update to Drupal 8.9.10
• Drupal 8.8 or earlier users should update to Drupal 8.8.12
• Drupal 7 users should update to Drupal 7.75

“Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage,” Drupal’s security team added.

Drupal also recommends to mitigate this issue by preventing untrusted users from uploading .tar, .tar.gz, .bz2, or .tlz files.

The number of vulnerable Drupal installs is approximatively over 940,000 out of a total of 1,120,94.

Last week, the Drupal development team has released security updates to fix a remote code execution vulnerability related caused by the failure to properly sanitize the names of uploaded files.

The vulnerability, tracked as CVE-2020-13671, has been classified as critical according to the NIST Common Misuse Scoring System.

The flaw could be exploited by an attacker by uploading files with certain types of extensions (phar, php, pl, py, cgi, html, htm, phtml, js, and asp) to the server to achieve remote code execution.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, PHP code execution)

[adrotate banner=”5″]

[adrotate banner=”13″]