Security news that informs and inspires

Drupal Patches Arbitrary File Upload Flaw


The maintainers of the popular Drupal content management system have released security updates for several of the current versions that fix numerous vulnerabilities, including a bug that allows for the upload of arbitrary files in some cases.

The file-upload flaw affects Drupal 8.8.x and 8.7.x and it stems from the fact that the CMS doesn’t remove a leading dot from filenames during the upload process. As a result, an attacker could fashion a file that would allow him to get remote code execution on a target server.

“Drupal 8 no longer trims the leading dot (“.”) from the filename on upload as Drupal 7 did. Modules or other code relying on the Drupal 7 behavior as a security control can become vulnerable when used with Drupal 8,” an advisory from Aon, which discovered the vulnerability, says.

“For example, Drupal 8 with a file upload module such as IMCE running under the default configuration with an Apache web server, allows authenticated administrative users to upload a .htaccess file that can modify the server’s executable file extensions to achieve remote code execution.

The vulnerability is listed as moderately critical by Drupal, but Aon’s advisory makes clear that the bug can have some serious consequences, even if it’s exploited by someone other than an administrator.

“Under certain configurations, this issue can be exploited by non-administrative users as well. This is due to a change in the file_save_upload function between Drupal 7 and Drupal 8. The code snippet below from Drupal 7.6.7 utilizes the trim function to remove leading and trailing dots from the filename input,” the Aon advisory says.

“Conversely, Drupal 8’s file_save_upload function does not call trim and allows filenames with leading and trailing dots. This change in default behavior can lead to security vulnerabilities in cases where modules or other code relies on the previous behavior as a security control. For example, IMCE incorrectly assumes that Drupal 8 core prevents upload of a malicious .htaccess file as Drupal 7 did.”

Drupal has released versions 8.7.11 and 8.8.1 to fix the vulnerability. There are also patches for several other flaws included in those releases, most notably a fix for a critical set of flaws in the way that Drupal processes several common file types, such as .tar, .tar.gz, .bz2, or .tlz files. Drupal also patched a separate flaw that can corrupt cached information.

“A visit to install.php can cause cached data to become corrupted. This could cause a site to be impaired until caches are rebuilt,” the Drupal advisory says.

CC By-SA 2.0 license photo by Ixis IT.