Security

Drupal developers fixed a code execution flaw in the popular CMS

Drupal development team released security updates to fix multiple issues, including a critical code execution flaw.

Drupal developers have released security updates to address multiple vulnerabilities in the popular CMS:

The US Cybersecurity and Infrastructure Security Agency (CISA) published an advisory for the above vulnerabilities. 

The most severe one, rated as “critical,” is an arbitrary PHP code execution tracked as CVE-2022-25277.

“Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010).” reads the advisory. “However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files’ filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core’s default .htaccess files and possible remote code execution on Apache web servers.”

In order to mitigate the issue, it is mandatory for the field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads. The vulnerability impacts 9.4, and 9.3 versions, the advisory states that the issue only affects Apache web servers with specific configurations.

The other three vulnerabilities have been rated as “moderately critical,” that can lead to cross-site scripting (XSS) attacks, information disclosure, or access bypass.

All the issues impact the 9.4, and 9.3 versions, but the information disclosure vulnerability also impacts version 7.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Content Management System, critical code execution flaw)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco states that the second data leak is linked to the one from October

Cisco confirmed the authenticity of the 4GB of leaked data, the data was compromised in…

3 hours ago

Threat actors attempt to exploit a flaw in Four-Faith routers<gwmw style="display:none;"></gwmw>

VulnCheck researchers warn that threat actors are attempting to exploit a high-severity vulnerability impacting some…

8 hours ago

ZAGG disclosed a data breach that exposed its customers’ credit card data

ZAGG Inc. notifies customers of credit card data breach, after threat actors hacked a third-party…

17 hours ago

China-linked APT Salt Typhoon breached a ninth U.S. telecommunications firm

A White House official confirmed that China-linked threat actor Salt Typhoon breached a ninth U.S.…

1 day ago

SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 26

Security Affairs Malware newsletter includes a collection of the best articles and research on malware…

1 day ago

Security Affairs newsletter Round 504 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…

1 day ago

This website uses cookies.