====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN630
_____________________________________________________________________

DATE                : 20/11/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Drupal core versions prior to
                               9.0.8, 8.9.9, 8.8.11, 7.74.

=====================================================================
https://www.drupal.org/sa-core-2020-012
_____________________________________________________________________

Drupal core - Critical - Remote code execution - SA-CORE-2020-012

Project:         Drupal core
Date:            2020-November-18
Security risk:
Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default
Vulnerability:   Remote code execution
CVE IDs:         CVE-2020-13671


Description:

Update November 18: Documented longer list of dangerous file extensions

Drupal core does not properly sanitize certain filenames on uploaded
files, which can lead to files being interpreted as the incorrect
extension and served as the wrong MIME type or executed as PHP for
certain hosting configurations.


Solution:

Install the latest version:

    If you are using Drupal 9.0, update to Drupal 9.0.8
    If you are using Drupal 8.9, update to Drupal 8.9.9
    If you are using Drupal 8.8 or earlier, update to Drupal 8.8.11
    If you are using Drupal 7, update to Drupal 7.74

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive
security coverage.

Additionally, it's recommended that you audit all previously uploaded
files to check for malicious extensions. Look specifically for files
that include more than one extension, like filename.php.txt or
filename.html.gif, without an underscore (_) in the extension. Pay
specific attention to the following file extensions, which should be
considered dangerous even when followed by one or more additional
extensions:

    phar
    php
    pl
    py
    cgi
    asp
    js
    html
    htm
    phtml

This list is not exhaustive, so evaluate security concerns for other
unmunged extensions on a case-by-case basis.


Reported By:

    ufku
    Mark Ferree
    Frédéric G. Marand
    Samuel Mortenson of the Drupal Security Team
    Derek Wright

Fixed By:

    Heine of the Drupal Security Team
    ufku
    Mark Ferree
    Michael Hess of the Drupal Security Team
    David Rothstein of the Drupal Security Team
    Peter Wolanin of the Drupal Security Team
    Jess of the Drupal Security Team
    Frédéric G. Marand
    Stefan Ruijsenaars
    David Snopek of the Drupal Security Team
    Rick Manelius
    David Strauss of the Drupal Security Team
    Samuel Mortenson of the Drupal Security Team
    Ted Bowman
    Alex Pott of the Drupal Security Team
    Derek Wright
    Lee Rowlands of the Drupal Security Team
    Kim Pepper
    Wim Leers
    Nate Lampton
    Drew Webber of the Drupal Security Team
    Fabian Franz
    Alex Bronstein of the Drupal Security Team
    Neil Drumm of the Drupal Security Team
    Joseph Zhao
    Ryan Aslett



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================