Drupal fixes critical bug allowing hackers to access websites

New Delhi, Nov 22 (IANS): Drupal, which is currently the fourth most used content management service (CMS) platform on Internet after WordPress, Shopify and Joomla, has fixed a critical bug that could allow hackers to gain full access over vulnerable websites.

The Drupal team this week released security updates to patch the critical vulnerability, reports ZDNet.

Tracked as CVE-2020-13671, the vulnerability is easy to exploit and relies on "double extension" trick.

"Attackers can add a second extension to a malicious file, upload it on a Drupal site through open upload fields, and have the malicious executed," the report said on Saturday.

The Drupal team said the vulnerability the CMS does not sanitise "certain" file names, allowing some malicious files to slip through.

This can lead to "files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations".

Last month, the cyber security researchers unearthed a massive botnet network called KashmirBlack, being run from Indonesia, that has attacked websites running popular content management systems (CMSs) like WordPress, Drupal and Joomla!, among others.

The highly-sophisticated botnet is believed to have infected hundreds of thousands of websites by attacking their underlying CMS platforms, according to US-based cyber security form Imperva.

The botnet's primary purpose appears to infect websites, and then use their servers for cryptocurrency mining.

Based in Indonesia, the hackers have a command-and-control (C&C) infrastructure to operate KashmirBlack.





Title : Drupal fixes critical bug allowing hackers to access websites


You have 2000 characters left.


Please write your correct name and email address. Kindly do not post any personal, abusive, defamatory, infringing, obscene, indecent, discriminatory or unlawful or similar comments. Daijiworld.com will not be responsible for any defamatory message posted under this article.

Please note that sending false messages to insult, defame, intimidate, mislead or deceive people or to intentionally cause public disorder is punishable under law. It is obligatory on Daijiworld to provide the IP address and other details of senders of such comments, to the authority concerned upon request.

Hence, sending offensive comments using daijiworld will be purely at your own risk, and in no way will Daijiworld.com be held responsible.

Security Validation

Enter the characters in the image