Date:
Wednesday, Nov 18th, 2020
Advisory ID:
BACKDROP-SA-CORE-2020-007
Security risk:
Critical
Vulnerability:
Remote Code Execution
CVE ID:
Versions affected:
- Backdrop Core 1.17.x versions prior to 1.17.3
- Backdrop Core 1.16.x versions prior to 1.16.5
Backdrop versions 1.15 and prior do not receive security coverage.
Description:
Backdrop core does not properly sanitize certain filenames on uploaded files. This can lead to files being interpreted as the incorrect extension and served as the wrong MIME type, or executed as PHP for certain hosting configurations.
Solution:
Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.17.3 release page. See the update instructions, if needed.
Additionally, it's recommended that you audit all previously uploaded files to check for malicious extensions. Look specifically for files that include more than one extension, like .php.txt or .html.gif.
Reported By:
- ufku
- Mark Ferree
- Frédéric G. Marand
- Samuel Mortenson of the Drupal Security Team
- Derek Wright
Fixed By:
- Heine of the Drupal Security Team
- ufku
- Mark Ferree
- Michael Hess of the Drupal Security Team
- David Rothstein of the Drupal Security Team
- Peter Wolanin of the Drupal Security Team
- Jess of the Drupal Security Team
- Frédéric G. Marand
- Stefan Ruijsenaars
- David Snopek of the Drupal Security Team
- Rick Manelius
- David Strauss of the Drupal Security Team
- Samuel Mortenson of the Drupal Security Team
- Ted Bowman
- Alex Pott of the Drupal Security Team
- Derek Wright
- Lee Rowlands of the Drupal Security Team
- Kim Pepper
- Wim Leers
- Nate Lampton
- Drew Webber of the Drupal Security Team
- Fabian Franz
- Alex Bronstein of the Drupal Security Team
- Neil Drumm of the Drupal Security Team
- Joseph Zhao
- Ryan Aslett
- Jen Lampton of the Backdrop Security Team
- Nate Lampton of the Backdrop Security Team