[Security-news] Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014
security-news at drupal.org
security-news at drupal.org
Wed Jul 20 17:18:51 UTC 2022
View online: https://www.drupal.org/sa-core-2022-014
Project: Drupal core [1]
Date: 2022-July-20
Security risk: *Critical* 15∕25
AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon [2]
Vulnerability: Arbitrary PHP code execution
Description:
Drupal core sanitizes filenames with dangerous extensions upon upload
(reference: SA-CORE-2020-012 [3]) and strips leading and trailing dots from
filenames to prevent uploading server configuration files (reference:
SA-CORE-2019-010 [4]).
However, the protections for these two vulnerabilities previously did not
work correctly together. As a result, if the site were configured to allow
the upload of files with an htaccess extension, these files' filenames would
not be properly sanitized. This could allow bypassing the protections
provided by Drupal core's default .htaccess files and possible remote code
execution.
This issue is mitigated by the fact that it requires a field administrator to
explicitly configure a file field to allow htaccess as an extension (a
restricted permission), or a contributed module or custom code that overrides
allowed file uploads.
Solution:
Install the latest version:
* If you are using Drupal 9.4, update to Drupal 9.4.3 [5].
* If you are using Drupal 9.3, update to Drupal 9.3.19 [6].
All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive
security coverage. Note that Drupal 8 has reached its end of life [7].
Drupal 7 core is not affected.
.... Auditing your files directory's .htaccess to ensure it has not been
overwritten or overridden in a subdirectory
If your web server uses Apache httpd with AllowOverride, you should check
within your files directories and subdirectories to ensure that any .htaccess
files present are intentional. You can search for files named .htaccess by
running the following command in the roots of both your public and private
files directory:
find ./ -name ".htaccess" -print
Drupal automatically creates .htaccess files like the following in the root
of the public files directory:
# Turn off all options we don't need.
Options -Indexes -ExecCGI -Includes -MultiViews
# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
# Override the handler again if we're run later in the evaluation list.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
# If we know how to do it safely, disable the PHP engine entirely.
php_flag engine off
php_flag engine off
Check with your system administrator for the correct .htaccess configuration
for the given files directory.
This advisory is not covered by Drupal Steward [8].
Reported By:
* elarlang [9]
Fixed By:
* Peter Wolanin [10] of the Drupal Security Team
* xjm [11] of the Drupal Security Team
* Drew Webber [12] of the Drupal Security Team
* Alex Bronstein [13] of the Drupal Security Team
* Greg Knaddison [14] of the Drupal Security Team
* Jen Lampton [15], provisional member of the Drupal Security Team
* Lee Rowlands [16] of the Drupal Security Team
* Dave Long [17], provisional member of the Drupal Security Team
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/sa-core-2020-012
[4] https://www.drupal.org/sa-core-2019-010
[5] https://www.drupal.org/project/drupal/releases/9.4.3
[6] https://www.drupal.org/project/drupal/releases/9.3.19
[7] https://www.drupal.org/psa-2021-06-29
[8] https://www.drupal.org/steward
[9] https://www.drupal.org/user/3583903
[10] https://www.drupal.org/user/49851
[11] https://www.drupal.org/user/65776
[12] https://www.drupal.org/user/255969
[13] https://www.drupal.org/user/78040
[14] https://www.drupal.org/user/36762
[15] https://www.drupal.org/user/85586
[16] https://www.drupal.org/user/395439
[17] https://www.drupal.org/user/246492
More information about the Security-news
mailing list