Drupal developers fixed a code execution flaw in the popular CMS

Drupal development team released security updates to fix multiple issues, including a critical code execution flaw.

Drupal developers have released security updates to address multiple vulnerabilities in the popular CMS:

The US Cybersecurity and Infrastructure Security Agency (CISA) published an advisory for the above vulnerabilities. 

The most severe one, rated as “critical,” is an arbitrary PHP code execution tracked as CVE-2022-25277.

“Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010).” reads the advisory. “However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files’ filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core’s default .htaccess files and possible remote code execution on Apache web servers.”

In order to mitigate the issue, it is mandatory for the field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads. The vulnerability impacts 9.4, and 9.3 versions, the advisory states that the issue only affects Apache web servers with specific configurations.

The other three vulnerabilities have been rated as “moderately critical,” that can lead to cross-site scripting (XSS) attacks, information disclosure, or access bypass.

All the issues impact the 9.4, and 9.3 versions, but the information disclosure vulnerability also impacts version 7.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Content Management System, critical code execution flaw)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini: Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This website uses cookies.