Drupal fixes critical bug that allowed hackers to access websites
Drupal, which is currently the fourth most used content management service (CMS) platform on Internet after WordPress, Shopify and Joomla, has fixed a critical bug that could allow hackers to gain full access over vulnerable websites.
The Drupal team this week released security updates to patch the critical vulnerability, reports ZDNet.
Tracked as CVE-2020-13671, the vulnerability is easy to exploit and relies on “double extension” trick.
“Attackers can add a second extension to a malicious file, upload it on a Drupal site through open upload fields, and have the malicious executed,” the report said on Saturday.
The Drupal team said the vulnerability the CMS does not sanitise “certain” file names, allowing some malicious files to slip through.
This can lead to “files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations”.
Last month, the cyber security researchers unearthed a massive botnet network called KashmirBlack, being run from Indonesia, that has attacked websites running popular content management systems (CMSs) like WordPress, Drupal and Joomla!, among others.
The highly-sophisticated botnet is believed to have infected hundreds of thousands of websites by attacking their underlying CMS platforms, according to US-based cyber security form Imperva.
The botnet’s primary purpose appears to infect websites, and then use their servers for cryptocurrency mining.
Based in Indonesia, the hackers have a command-and-control (C&C) infrastructure to operate KashmirBlack.