The developers of Drupal, one of the most popular content management systems (CMS), released a set of security updates to fix a critical and relatively easy-to-exploit bug that would allow threat actors to gain complete control of a vulnerable site. This flaw was fixed in conjunction with cybersecurity specialists.

The flaw received a critical score, so vulnerable facility managers should update as soon as possible. According to recent studies, Drupal is the fourth most used CMS on the Internet, behind only WordPress, Joomla and Shopify.  

The flaw was tracked as CVE-2020-13671 and specialists consider it to be truly easy to complete an attack as it is based on an old hack known as “double extension”.

In this attack threat actors add a second file extension to a malicious file, allowing them to upload the file to a Drupal site and run the payload. To pose a possible scenario, a malicious file called malware.php could change its name to malware.php.txt. When uploaded to a Drupal site, the file would be classified as a text file instead of a PHP file, but Drupal would end up executing the malicious PHP code when trying to read the text file.

Under normal conditions the CMS will seamlessly detect any file with dual extension. However, the flaw exists because Drupal does not debug some file names, so in some cases these files are allowed to pass with double extension and the attack is concreted.

The cybersecurity report mentions that CMS versions 7, 8, and 9 were corrected, although website administrators are invited to review the latest file uploads to verify that dual-extension files have not been supported.

Experts recommend paying attention to the following file extensions:

  • phar
  • php
  • pl
  • py
  • cgi
  • asp
  • js
  • html
  • htm
  • phtml

Various members of the cybersecurity community were surprised to learn that Drupal had to fix such a flaw, since the dual-extension attack is one of the oldest tricks in the world of malicious hacking. By now, virtually all CMSs have eradicated this threat. This attack has also come to pose a major threat to Windows users, where malware developers seek to infect vulnerable systems without complications.